Strong Authentication and Digital Transformation

24 Oct Strong Authentication and Digital Transformation

The larger concept, digital transformation, that encompasses digital business, online services, mobile apps, multi- or omni-channel solutions, IoT, require strong customer authentication to succeed. If it is not already become obvious to you – you should avoid deploying weak identities, especially if you store confidential data about your users. I’m of course talking about password based identities that the developers bolted onto your new shiny digital business process as an afterthought. Ok, I’m being a bit mean here, but unfortunately events lately have shown us how companies have missed their mark completely when it comes to preserving the trust of their customers. Granted, it’s not about weak customer identities only, the breaches that reach the headlines are a symptom of something larger within the enterprise that just got hacked. However, you must also ask the question; how does strong authentication and digital transformation affect employees – those who are appointed to safeguard the customer data?

We asked and digital service providers answered

As a first question in survey we conducted in August we presented the participants a claim that the importance of strong customer authentication will grow. An overwhelming 97% of the responses either completely or somewhat agreed. Notable was the complete lack of disagreement. Strong authentication and digital transformation go hand in hand is what the organisations surveyed wanted to say.

Most of our customers have already embraced strong customer authentication, and the rest are following suit. But it’s worth noting that it’s not a binary situation; strong authentication or nothing at all. To convert visitors and allow existing customer access certain information our customers have a layered approach into authentication.

Appropriate Authentication

Not all things are created equal – in the world of data at least. If we consider the customer of a digital service, there are several bits of information that the service stores about the customer. Some of those bits are trivial and almost public in nature, or of the nature that it would not hurt the customer too much of they would be exposed. Other bits on the other hand are sensitive. If the digital service is a healthcare online portal where all health related data is stored and it would be exposed – it would be a big (bad) deal. Another example, albeit a much darker one, is the Ashley Madison breach a while back. In this particular breach almost all of the bits were ultra sensitive. In a “normal” breach first name / last name leak would be bypassed with a shrug “So what – now the world knows that I’m a customer of scifibooks.com”. Not so with a service such as Ashley Madison. These bits required iron clad protection from both external and internal threats.

When you are running a digital service, you must know what kind of data you are storing about your customers. When you know what you are collecting, you can create appropriate security mechanisms to protect that data. It also helps if you at some point consider the nature of your service and which bits need Fort Knox level protection.

You don’t have to go all gung-ho for the ultimate X-factor authentication solution with DNA analysis, iris scan, hair follicle typing, all combined with behaviour analytics. You can layer your security so that the protection mechanism is appropriate to the data behind it. This is what some of our customers are currently doing – and reaping the benefits. Easy access to semi-confidential information and then stronger mechanisms to access more sensitive data, modify the data or conduct transactions.

One of the prime examples of this layered approach is our customer S-group, a large retail chain operating in Scandinavia, Baltics and Russia. They support both weak and strong security mechanisms. Users can access their information with their password or social media identities (once it has been linked to their account within the S-group), or using a strong 2-factor authentication issued by a bank or a mobile network operator – both of which are approved by the government as a valid citizen digital identity.

Where to get that strong identity?

Coming back to the almost unanimous (97% remember) agreement of the respondents on strong authentication and digital transformation, your next question should be: Where do my customers get that? One option is that you yourself deploy a strong digital identity to your customers. But should you? Strong (trustworthy) digital identity requires vetting. When issuing the identity you must make sure that the attributes are true. Otherwise you’ll be issuing a strong digital identity to Donald Duck. The authentication mechanisms themselves are straightforward to deploy, any Customer IAM solution worth its salt can do that (but when selecting a CIAM solution, make sure it does support this).

The easier alternative would be to allow the customer use an identity they already possess. This is possible through something called federation, where the issuer of the strong identity is trusted by your service. When the customers want to access your service, they can do so by using the digital identity issued by this trusted third party. And guess what – your customers will be happy. You can allow them to register to your service using this third party identity and when they return, login using the same identity. No more passwords for them to remember and (potentially) for you to “misplace”.

Global and national initiatives and programs are bringing strong customers identities within easy reach. The GSMA has launched a global initiative called Mobile Connect, where mobile network operators can issue digital identities to their own subscribers and these identities can be used globally. In Europe the eIDAS regulation is finally starting to take hold and allows cross-border government digital services to the citizens of EU, and hopefully soon also including private sector digital services. On a national level federation networks are being formed either through local legislation or commercial cooperation between identity issuers (banks, MNOs) and digital services that need them.

Customer Identity and Access Management is a technology that is a basic building block of strong authentication and digital transformation. Contact us now if you want to learn how we can bolster your security posture.

Read the related press release here