What Brands Get Wrong About Customer AuthenticationNelson Melo on the 4 Elements of Getting Customer Authentication Right
Customer authentication. Doing it right builds brand loyalty and trust and moves the needle forward in terms of revenue. Doing it wrong? Well, that’s expensive. Security is integrally linked to business revenue, and the need to build brand trust and customer loyalty for growth and retention cannot be overstated.
Customers want to know that their data is safe, but they don’t want to jump through hoops to make that happen. In their opinion, the burden of effective security falls on the organization. It’s time to shift the focus. Product, security and identity professionals must think outside the box and work together on a solution that gets rid of passwords, implements phishing-resistant MFA and focuses on frictionless continuous authentication.
Focus on these four elements of customer authentication, and your brand will be the one that gets it right.
Passwords have long been the primary method of customer authentication. The problem is that passwords are:
- Easily phished or stolen;
- Often forgotten, leading to lost sales due to difficult password resets.
If you are using passwords as part of your authentication process, it’s time to look at passwordless, phishing-resistant solutions.
2. Choose the Right MFA
The U.S. government, CISA, the FTC and the New York Department of Financial Services all recommend or require organizations to use phishing-resistant MFA. And for good reason - phishing attacks are a costly plague.
It can be hard to keep up with which factors are phishable and which are not. Think of it this way: Anything that is stored outside the device, such as a password, or is ever in transit, such as a text message or one-time password, can be phished. Things that never leave the device, such as cryptographic keys or your body measurements - biometrics, cannot.
3. Security Is Expensive
When comparing friction for customers with security accounts and practical security needs, one of the main challenges is convincing the revenue side of a business of the need for best practice from a security standpoint. Cybersecurity teams must demonstrate that the financial risks of not putting security in place - i.e., fraud, account takeover, reputation loss, regulatory fines, lawsuits, etc. - overwhelm the loss of revenue and abandonment of transactions on the other side. There are always costs associated with security systems, but comparing the costs associated with fraud to those of implementing new security measures will justify the purchase.
4. Finding the Sweet Spot
There is a fine balance between having effective security and operating a business. Customers quickly become frustrated by jumping through hoops to log in, and the password route is unsustainable. It’s time to look at the relationship between security and authentication and develop solutions for both. Taking authentication to the next level requires thinking outside the box.
If you want to implement an authentication strategy that doesn’t drive away customers, you need to make customer experience the focal point.
Adaptively adjust your authentication solutions based on user context. The important part of your security system is building in the ability to intervene when needed. Start by lifting the burden of authentication off of users and focusing on strong authentication using digital cryptographic keys.
Authenticate the user based on the device they are using. They won’t require stronger security, such as phishing-resistant MFA, until they make changes to personal details or make large transactions that warrant additional security. If your business is seen as protecting what is valuable to the customer, the extra steps are accepted and appreciated.
Provide your customers with transparent access to and control of their security. Empower your customers to manage their own digital security - the permissions they have and their trusted devices. Help them by regularly reminding them to check their security and trusted devices with easily dismissible alerts.
Beyond Identity provides passwordless, phishing-resistant authentication that protects you from phishing and password-based attacks. Our MFA only uses secure, phishing-resistant factors that protect your critical data and resources from threats.