Authenticating your customers: the tripartite of consumer authentication

Security vs usability vs consumer attitude – who will win?

door locks
smlp.co.uk (CC BY 2.0)

The recent Deloitte breach was yet another in a long line of data exposures that have their origin in authentication issues. In the case of Deloitte, the hackers gained access to Deloitte’s email system, putting clients emails, including potentially sensitive content and attachments, at risk of exposure. The Deloitte hack has reportedly been attributed to the lack of second-factor authentication (2FA). According to sources for The Guardian newspaper, the attack was perpetrated via a stolen Admin password. In other words, the authentication measures used were well-below par.

This isn’t the first time that poor authentication of privileged accounts has been behind some of the world’s mega-hacks. The Target Corp. hack of 2013, was initiated by spear phished credentials of a supply chain company who had privileged access to Target Corp. servers.

But it isn’t just administrators who the cyber criminals focus on, consumers are, as always, in the sights of the hacker. According to the Anti-Phishing Working Group (APWG) in their last report for Q4 2016, they found a 65% increase in phishing attacks against the previous year; retail and finance being the most targeted sectors.

Login credentials are like diamonds in a James Bond movie to cybercriminals. Only they seem to be far easier to get at.

Challenges of authentication

The problem of authentication is multi-faceted. Although slightly less so for administrators. At least with an administrator, a company can set out a security policy that promotes and enforces the use of other factors of authentication, including risk-based such as only allow access within the bounds of the corporate IP address. With consumers, it’s a little bit more complicated.

A good example is in the development of banking apps. Juniper Research predicts that, globally, 1 in 3 adults will use mobile banking by 2021. To use these apps, the user will have to login to them of course. Fine you think. Users of such apps have to sign in to their mobile device first, then login to the banking app as well - that should be enough shouldn’t it?

Turns out, according to research by Accenture, 43% of users don’t use a passcode to control access to their mobile device. Just to compound matters, mobile banking Trojans like Faketoken, are being built to not only dupe mobile banking customers with fake interfaces but to then steal their SMS code for second-factor login. Yes, authentication has many challenges.

Security vs usability vs consumer attitudes: the collision of variables

We have to overcome the authentication hurdle to win the battle against the theft of personal data and identity. As I mentioned in a previous post, consumer identity is becoming increasingly used by enterprises across all sectors. Authentication of consumers has three main factors that have to be balanced - creating an authentication policy for your customer base needs to bear this tripartite in mind:

Security

To protect user access, and subsequently their identity data, you need to develop a robust authentication policy. This will pivot upon the other two factors. So you can’t just batten down the hatches and expect your system to be usable or in fact used. You have to be ‘security smart’. Use techniques such adaptive authentication which applies security rules such as geo-velocity.

Usability

This can sometimes seem like the evil twin of security. In my experience, the harder the authentication security is set, the more likely a user will find ways to either not use it or circumvent it. The whole strong password concept being one such example; the stronger the password, the more likely a user is to write it down. And strong passwords don’t prevent phishing. FIDO offers possibilities in providing improved usability.

Consumer attitude

Consumers don’t like second-factor authentication. We know this instinctively, but a survey by SecureAuth showed this to be true when 74% of respondents told them that they had customer complaints when applying it. Consumer identity systems need to be cognizant of consumer attitudes - designing them to work with, not against, your customer base will reap rewards in terms of loyalty and reputation.

There are a lot of things to consider when designing a system that balances the tripartite of consumer authentication. The eternal question of can we find something to replace passwords is almost beside the point. After all, we have plenty of options in terms of authentication choices:

  • First-factor includes not just passwords, but OpenID Connect and OAuth 2.0 which have given us more choice in using federated sign in for first-factor.
  • Other factors include SMS code, mobile app code (TOTP), memorable word, various biometrics, and even just the simple process of downloading codes.
  • There are also several options for deploying authentication and 2FA solutions, from full-blown enterprise solutions to lightweight services like Incapsula’s WAF, which recently announced “one click 2FA”, instant two-factor authentication for an entire website.

Profiling users for smart authentication choices

The crux of all of this, is not what you’ve got, but how you use it. Smart authentication choices means understanding your audience and engaging them in the choices. You can do a lot with rules around location awareness for example. And more advanced options, like continuous behavioral analysis, can up the ante in terms of security, whilst building in usability options such as suppressing factors if the behavior fits the profile.

Build great customer identity access management systems, means ensuring that authentication is not an afterthought. Authentication needs to an integral part of the design and fits the profile of your customers. Having a choice in the matter, both in what you can offer as credential options, and how those options are used, is the way to ensure not only that your customers use your service, but that it protects their personal data.

This article is published as part of the IDG Contributor Network. Want to Join?

New! Download the State of Cybercrime 2017 report