An organisation, by its nature, must be accessible to be successful. It has to be customer facing, and to reach both current and future customers it has to have a strong online presence. This entails many things, including online portals for customer access, user accounts and, crucially, identification processes, writes Andy Cory, Identity Management Services lead at KCOM.
Today, most organisations face the same challenge. How do they balance a smooth, satisfying customer experience with the impregnable security consumers and law-makers now expect? Too far in either direction and you risk losing customers. Too much user input and customers become frustrated and may stop using your service, too little and you leave them vulnerable and increase the chances of a data breach. Yet organisations need not compromise. Identity and access management (IAM) does not have to be a coin toss of angry customers or lax security. Knowing the customer and having the capability to view them as a single digital identity is key to creating an authorisation system that is secure without spoiling their journey.
Guess who
Many IAM procedures are not fit for purpose. They provide neither the security that businesses need nor the convenience customers desire. Indeed, between 80 to 90 per cent of login attempts on retailer websites are from hackers using compromised credentials. Yet, the majority of UK and US consumers are frustrated by security measures and 77 per cent see them as unnecessarily complicated. The open, unsecure nature of the internet and social media is a challenge that obliges companies to take a new path. The simple purpose of customer identification is to find out who the user is and if they are who they claim to be. Usually, this is done by forcing them through one or more identification procedures – normally requesting an account name and password, sometimes followed by a series of security questions.
It is likely that anyone who has ever accessed a company portal has at least once been frustrated by the process and the amount of times they have had to go through it. While it is a necessary part of business, customer authentication forms a literal barrier between the user and the services they want. By its nature, this sours the customer experience, and the user only loses more time and patience should they forget a password or become locked out of the system by accident. However, while a heavy-handed approach to IAM may give off the impression of security, the reality is more troubling. Several-stage authentication appears like a secure gateway but there are many points of access for a resourceful cybercriminal.
More often than not, the weakness of this model lies with the customer. A company can mandate all the passwords they want, but they cannot force customers to keep them secret. While consumers value security, they often lack the awareness to know when they have compromised their own. Customers write down passwords to help them remember and daily broadcast personal information across multiple social media channels. A child or pet’s name, or a parent’s date of birth, may feel like personal information but a cybercriminal can find these out after only a few minutes on the internet.
While a customer’s security weakness does not help, a weak authentication system is a company’s problem as well as its responsibility. If a business cannot provide easy access to its services or a secure sign-in process for its customers, it only has itself to blame when its users desert.
Fortunately, there is a way to achieve the best of both worlds. If customers grumble at sign-in procedures and cannot be depended on to keep their security information safe, then the process can and should be removed. This is not to recommend that IAM be taken out of the equation, only that the legwork is transferred from the customer to the business – organisations need to make the process simple and time efficient for their customers.
Frictionless customer authentication – where users can access online services with zero input into the identification process – is no longer an ideal. With certain technologies, it has already been achieved. Geo-location and geo-velocity checking allow companies to trace a user’s physical location and how far they have travelled since their last login. Taken together, they verify if the user is who they claim to be and make any manual input from the customer unnecessary.
Through geo-location and geo-velocity checking, a company gives its sign-in procedures common sense. Technology can answer any authentication question a business could ask of a customer, so why not let it? By not giving the customer any inputs during the IAM process, you deliver on the promise of effortless customer access. So long as companies take steps to inform users what is happening, they will also satisfy consumer requirements for security.
Yet, the technology behind frictionless ID management does not work in a vacuum. The company must ensure it has the systems in place to collect customer data from every interaction and consolidate it into a single customer identity. Users expect consistency in their brand experience, even if they access it on a number of separate devices. Creating a single digital identity for customers, recognised regardless of device, makes this possible.
It used to be said that the customer is always right. Now, the customer is everything. Used correctly, IAM can provide such an unexpectedly smooth process for customers that it can be seen as an added benefit of being a customer. By achieving a single, consolidated and consistent view data across all channels, companies can provide a truly frictionless and secure customer experience across all of their channels. They will reduce customer frustration at having to jump through multiple access hoops and improve the customer experience, all while guaranteeing security.
