2023 Goals for CIAM Leaders – Enable Business with Security, Not Cause Friction

How customers interact with your business is critical—it can spur customer engagement or lead to customer churn. In the physical world, those interactions may happen at a counter with a salesperson. But in cloud computing, mobile applications, and eCommerce, it starts with digital access.

For consumers, websites and mobile apps are often the entry points for their business and social activities. Those entry points must be secure to prevent account hijacking and fraud. However, they must achieve those goals without creating hurdles that hamper user adoption. Organizations are turning to Customer Identity and Access Management (CIAM) solutions to meet this challenge.

Balancing user experience and security

It is an old IT problem—making security an enabler of the business rather than a source of friction. From single sign-on to MFA, in 2023, solving the privacy, security, and user experience issues around customer identities will be a critical priority for digitized businesses.

Historically, when it comes to managing customer identities, those concerned with user experience and those focused on secure login, are the two divided camps. There is an inherent push-pull here—implementing security mechanisms creates friction, and too much friction can turn customers away. For sales teams and others, the urge to loosen security to improve ease of use will always exist.

A new balance needs to be struck, and security teams must collaborate effectively with different stakeholders than those involved with employee IAM. Rather than Human Resources, for example, they may work with the marketing and customer support teams. As a result, the conversations around the project will also be different. Instead of detailed discussions about job roles and segregation of duties, the focus is more likely to be on supporting various types of devices. The goal is to make the authentication process as simple as possible.

Understanding the Type of MFA that fits your need

A focal point of these discussions often turns to multifactor authentication (MFA). While passwords are still ubiquitous, there is a growing awareness that more is needed. However, another question soon emerges: what type of MFA should our organization implement? MFA should involve something you know, such as a password, and something you have, like a fingerprint or a secure challenge to a mobile device. Both factors should be from different categories.

It may be tempting to rely on email or SMS as a second factor, as it is easy to use and set up, but it could be more attractive from a security perspective. Email accounts may be poorly protected, and message routing can be intercepted. SMS is also prone to attacks like SIM hijacking or SMS fatigue. NIST recommends neither method of MFA being effective and steps to move away from these approaches. It is necessary to find a technique for MFA that doesn’t require an IT consultant to be present at your customer’s device to set it up.

This tension between usability and security forces organizations to look for two-factor approaches which improve security posture without sacrificing seamless experience. Biometrics is one answer. Although many organizations leverage the native capabilities of the device, using it to capture the user’s fingerprint, for example, and then using it to unlock the necessary credentials. Another approach is the introduction of end-to-end flows that work with the upfront validation of the user. Here, the user leverages MFA as part of the registration process so that the initial verification of the user also involves MFA. This strategy serves to augment the use of MFA when the user logs into a service by providing an extra layer of proof of their identity.

Take, for example, a user that attempts to register for a service for the first time and is asked for their driver’s license to verify they are whom they say they are. The photo on the driver’s license can then be compared to a selfie provided by the user. A service provider can even take it a step further and perform a liveness check by prompting the user to turn their head or smile.

Device characteristics are also used to verify identity. However, these capabilities often need to be more mature. Basic capabilities can lead to mistakes, such as misidentifying a device as new simply because of its own downloaded software update for a web browser. An additional layer of friction has been added unnecessarily. A similar situation would be if the device uses a different IP address and is therefore unrecognized.

Align CIAM program with customer experience

No matter what approach organizations take towards CIAM, it will require a strategy that sacrifices as little security as possible and encourages user engagement. Your CIAM program should be in sync with your business objectives for customer experience. At Simeio, we help organizations reach their goals by providing CIAM as a managed service on the Simeio Identity Orchestrator platform.

While discussions about identity management are typically centered on employees, failing to protect consumers’ identities can be just as damaging to a business. Providing a user experience that is seamless and secure is one New Year’s resolution that enterprise leaders should prioritize in the coming year.

~ Roland Davis, Director, CIAM, Simeio