All enterprises must balance their need of authentication practices with ensuring a frictionless user login process. That is because there is a fine line between maintaining the essential strong security posture for user accounts, while also ensuring a positive user experience — especially as people are critical in maintaining that posture.
It is a simple fact that strong authentication will impact user experience and effectiveness. However, with various authentication methods your organization can now manage how significant that impact is for the user, in order to find the most secure balance.
Different strong authentication methods yield varying user experiences. Cyber Security Hub hosted a webinar on the subject to discuss different business requirements, different user audiences and uncover more to help you understand what works best for your organization, your customers, and your employees.
See Related: Implementing Strong Authentication Does Not Guarantee An Excellent User Experience
Two guest panelists provided their perspective and experience on searching for this security and UX equilibrium.
- Online shop, The Grommet, showcases innovative products designed by inventors and small businesses. With 22 million unique users per year that browse, shop and buy goods, user authentication and user data security is a big deal, according to VP of Engineering Dave Swift. The challenge is finding that balance between protecting data and easily utilizing the site.
- Global food manufacturer OSI Global not only works to protect its sensitive company and employee data from cyber-attacks, its international relationships require integration with suppliers from all over the world. With the growth in data privacy regulation, Global CISO Michael Welch and his security team must also navigate GDPR and upcoming legislation to ensure data privacy compliance.
Cyber-Attacks Complicating A Frictionless User Experience
For a global manufacturing organization such as OSI Group, the cloud has increased the complexity of information security. More employees are remote and located outside of the traditional security perimeter and suppliers use a VPN to connect. Because the cloud is available to everybody, CISO Welch finds phishing and brute force attacks to be the focal points related to authentication.
An e-commerce site lives and dies on its ability to perform transactions. The Grommet’s Swift said that fraud is always a threat. A new threat vector for e-commerce is Account Take-Over (ATO). Storing payment cards in a user account is convenient for returning users, but a bad actor can cause a problem.
See Related: Assessing The Risk Of Account Takeover Fraud
Observations From Varying Authentication Approaches
When protecting customer data and employee data, a core concern with authentication is who has access to information. Customer data includes intellectual property (IP) such as recipes and formulas for food products. Global organizations must also consider requirements to protect data privacy regulation. OSI Group’s Welch suggests asking yourself 4 questions: What are your assets? What are your applications? What resides on-premises? And what resides in the cloud? This mapping provides you a roadmap for what needs to be protected in your organization. Beyond this, look further into user privileges and providing a layer of proactive and reactive security.
Welch further advocated for additional user awareness about passwords. He noted that research at NIST suggested that the typical IT behavior of changing employee passwords monthly may be contributing to weaker password selection. The research asked organizations to consider longer (12-14 character) passwords that increase the complexity while extending the reset period for users to replace.
The Grommet offered two approaches to combat privacy and fraud issues. For fraud, Dave Swift recommended assessing orders as they come in. Also, as a customer logs in, the companies checks against known names and passwords of hacked accounts using tools from Enzoic. If a compromised account is found, The Grommet deletes payment card-related data from its site. This proactive approach eliminates the concern that credential stuffing can occur, or if it does, attackers won’t be able to make purchases using its customers’ credentials.
Strengthening Authentication Without Asking Too Much Of Humans
Technology alone cannot solve the problems that security teams face today. Education and awareness are essential components. The presenters made a simple request: Don’t assume that user behavior – employees or end-user customers – about passwords will change. Security teams must reduce or entirely remove the roadblocks to adoption. Organizations must also provide those best practices for users without creating a new “ask.”
When storing personal information, only accept the risk that aligns with the level of authentication strength. If a less-strong authentication is used, do not allow payment card information to be stored. Only the strongest authentication allows payment data to be saved within the account.
The Grommet is using OAuth authentication services from Google and Facebook because of the brand trust these providers have. In addition to reducing the need for another password, a similar user experience is delivered across desktop and mobile interfaces. Even Apple has jumped into the 3rd party authentication services space with its recently announced “Sign In With Apple” single-sign-on program.
Great, Secure Experiences Come From Anticipating User Needs
It was insightful to hear about similar security and UX challenges from very different businesses with unique audience types. All need protection of data from cyber-attackers, yet the methods can be quite different.
Our guest speakers agreed that human behavior with passwords is not likely to change anytime soon. Cyber hygiene should anticipate the needs of the users and provide them with experiences that reduce or eliminate friction while increasing security compliance and service adoption.
Hear the entire discussion by listening to this on-demand webinar.