At Transmit Security, our product management team is on a never-ending quest to understand the challenges and pain points of customer authentication. In this pursuit, we are fortunate to meet with CISOs, CIOs, CDOs and identity management leaders nearly every day. They give us valuable insights that help us develop smart solutions. Over time, we’ve noticed CxOs echo similar problems around the same persistent issues. This led us to identify seven goals for improving customer authentication, presented in this article as a guide to help companies set — and reach — key objectives.
Within the finer details below, we’ll address common but flawed assumptions about passwordless customer authentication. For starters, passwordless is much more than biometric authentication, and when biometrics are at play, they are not handled like passwords or shared secrets. Another fact to keep in mind: modernizing customer authentication is part of a larger customer identity and access management (CIAM) program, which calls for an end-to-end, holistic approach.
1) Strongly secure customer identities and account access
When talking to CISOs, we hear they are now more accountable for CIAM. In particular, they recognize customer passwords pose a huge liability and want to move away from them. They not only track global trends and see fraud on the rise but have directly experienced more account takeovers (ATOs) since the pandemic began. Every security breach cuts into revenue and customer trust, so there is an urgency to prevent it. Securing customer accounts and protecting sensitive information is a top priority.
As the first and most impactful step, CISOs increasingly recognize the need to remove passwords from every phase of the customer journey, beginning with account registration through the recovery process. Passwords are viewed as a liability. Security leaders who are exploring their options see that most ‘passwordless’ solutions still rely on passwords for certain functions, often hiding them in the background. It’s the main reason financial institutions are choosing to work with Transmit Security to eliminate passwords completely. Banks and other security-aware organizations are leading the way, driven by the clear need to secure accounts and high-risk transactions.
CISOs and CIOs are also paying attention to industry analysts. Many are aware that Gartner has placed passwordless authentication in the ‘now’ range of its “Emerging Technologies and Trends Impact Radar” for security. At the recent Gartner IAM Summit in London, analysts revealed that access management is the second-fastest-growing cybersecurity market, and within that, CIAM is outpacing the growth of workforce IAM.
When discussing the full range of passwordless authentication methods, business leaders occasionally express concerns that biometrics could be vulnerable to the same types of attacks used to steal usernames and passwords. This is an opportunity for us to explain the advantages of FIDO-based passwordless MFA, which leverages public key cryptography so that fingerprint or facial biometrics never leave the customer’s device. Instead, an authentication challenge is signed locally on the device, by a private key, and only the signed challenge is transmitted over the web. FIDO-certified passwordless authentication eliminates shared secrets and in doing so, prevents credential theft.
2) Reduce the cost and complexity of identity architecture
Reducing costs is a priority for every enterprise, especially in uncertain economic times. In the context of cybersecurity, this means preventing breaches and the financial damages of lost assets, lost customer trust and compliance fines. Cost savings also requires security and digital solutions to minimize complexity, which can hinder the productivity of developers and IT administrators.
Consider the complexities of traditional password authentication with SMS OTP services, communication integrations into SMS, email and push gateways, storage of password hashes and OTP seeds, step-up interdictions, UI engineering for three operating systems, authentication logic such as account locking rules and call center costs related to password resets. It’s complicated, costly and far from immune to cyber attacks.
In some cases, developers try to address this problem by extending their existing workforce IAM solution to solve for customer use cases. We hear from companies that have tried this only to realize it does not work. There are many important distinctions between IAM and CIAM because the needs of employees and customers are vastly different. I will not go into depth on this topic here, but I’m mentioning it only to save you from going down the wrong path.
So what’s the right approach? Most security and digital leaders are looking for consolidated CIAM solutions that offer unified management and unified customer experiences. It makes life easier for everyone to have one solution for all customer channels. It can be challenging to find complete customer identity solutions that enable omnichannel and cross-channel experiences — but this is where the industry is headed, and Transmit Security will be leading the way.
For now, there are many examples of how passwordless customer authentication alone can reduce complexity and costs. We have a financial services customer that has transitioned 20% of its customer base to passwordless and is forecasting they’ll save $1.5 million a year by reducing their reliance on SMS OTPs. That alone is significant.
3) Speed time to market with new capabilities
Nothing stalls progress more than difficult integrations or complex development, which in turn, increase the probability of a flawed final product. Nearly every project leader has experienced this and will try to avoid it. This is one of many reasons cloud-native solutions are so appealing. CxOs want to go to market with new capabilities quickly, and cloud solutions are the fastest, easiest route. This is as true for CIAM as it is for other digital capabilities. Cloud-native CIAM is a step towards modernizing their architectures — what the industry has been talking about for 10 years or more.
More specifically, companies need solutions that are easy to consume — with developer-friendly APIs and SDKs. Everything should be easy and the architecture should be something IT administrators do not have to worry about. Identity services should be designed for speed and simplicity, so companies can immediately improve security and the customer experience (CX) in a short sprint.
The right authentication solution should be able to handle thousands of customer flows and every imaginable scenario out of the box, so developers can focus on other projects that are equally tied to revenue. Over time, companies will provide more value to customers with a service that continually delivers the latest in identity innovation.
4) Scale to meet high volumes and spikes in demand
CIAM solutions must be architected in the cloud to deliver the scalability required of large, ever-growing customer volumes. One of our customers, a leading global retailer, for example, needs to support a billion customer logins a day. This is an important distinction compared to employee IAM solutions designed to support a relatively small and static number of users. Legacy on-prem and cloud-migrated solutions are not built to scale. And unlike employees, customers won’t tolerate delays — even a two or three second load time can lead them to abandon a website. A cloud-native solution is essential to deliver the scalability and reliability required of CIAM. It’s non-negotiable.
Cloud-based identity solutions should also handle spikes in demand as traffic can surge ten-fold in less than a minute. Companies must also consider the fact that customers are likely to log in from every corner of the world. Identity services must be globally distributed and fault-tolerant to ensure availability 24/7. Any downtime or perceptible latency will lead to lower conversion rates and lost revenue.
5) Meet ever-evolving privacy mandates
Stringent privacy standards, like the EU’s General Data Protection Regulation (GDPR), require secure management, storage and handling of private customer data. The challenge is that customers access public-facing channels to conduct transactions, purchase goods or access services in an unmanaged environment. In the public domain, companies have no control over the devices or software customers use. For this reason, data privacy must be built into CIAM by design.
We recommend passwordless customer authentication that delivers out-of-the-box compliance with privacy regulations around the globe. This is no small task. GDPR, considered the world’s toughest consumer privacy law, is very detailed. It requires the right tools in place for consumers to provide consent, correct data inaccuracies and opt out with ‘the right to be forgotten.’ Compliance violations come with hefty penalties and often require public disclosure, which generates bad publicity. The bottom line: regulators — and customers — expect companies to safeguard their private data. Identity solutions should make it easy to comply.
6) Gain more customization and control
Most companies come to us because they want a low-maintenance passwordless authentication service that can solve complex orchestration challenges and deliver thousands of ready-made user flows. At the same time, however, CxOs want identity solutions they can control and customize as their business needs change. In today’s cloud landscape, this requires a flexible, API-first approach that makes it easy to connect legacy systems and streamline processes as they roll out modern identity solutions now and in the future.
When done right, APIs enable developers to create seamless experiences across multiple applications and websites. Plus, they can more easily customize these solutions to meet their unique, ever-changing business needs. Developer-friendly solutions enable them to continually innovate, adapt and evolve.
7) Remove friction from the customer experience
Modern CIAM solutions, especially passwordless customer authentication, greatly improve the customer experience. When you eliminate all passwords, you have a clear competitive edge. Customers no longer have to create and remember or manage their credentials, which means no more forgotten passwords, no more failed logins. Finally, instead of greeting the customer with layers of friction, customers experience smooth and consistent logins — easily accessing their accounts, apps and resources. For CDOs, this translates to more authenticated customers and improved conversions.
The friction of passwords is at its highest at two points: 1) during new account registration and; 2) account recovery when a user has forgotten their password (or locked themselves out of their account). This means that customers are more likely to abandon the website during account creation or when they try to log in to complete a transaction. Customer dropoffs have a direct impact on conversion rates and revenue.
One key recommendation is to consider all channels customers need to access, not just digital properties but in a store or at a kiosk where they may need to authenticate to access loyalty club benefits, for example. Those same customers may go to a different browser or switch from their smartphone to a laptop. They have multiple devices and access to many channels, so it is essential to account for this with a complete strategy.
At the Gartner IAM Summit in London, Gartner Sr. Director Analyst Nat Krishnan stated that the ability to “identify, know and engage customers, across multiple channels and digital properties is essential…” This is not possible with all passwordless customer authentication, and yet security leaders need solutions that provide seamless cross-channel and omnichannel experiences as well as multi-device support.
Finally, it’s important to consider the full spectrum of passwordless authentication options that will do the most to improve CX and boost adoption rates. Passwordless is much more than FIDO-based biometric authentication, using fingerprint or facial ID. Companies should offer adaptive customer authentication for those who are not ready or able to use biometrics. Magic links, time-based one-time passcodes (TOTPs), SMS OTPs, push notifications between applications and social logins — these are all forms of passwordless authentication. These methods offer varying degrees of security assurance, but they are all stronger than passwords and enable companies to remove their greatest security risk. And while all can be easier to use than passwords (due to their cognitive burden), FIDO authentication is the easiest.
Kick off a passwordless initiative
When choosing a passwordless solution for multiple use cases and many channels, consider fraud prevention, scalability, privacy, customization and CX. With the right cloud-native service, companies can reduce cost and complexity, while speeding time to market.
Modern CIAM solutions should enable a true omni-channel experience so customers can securely and predictably engage with all that a business offers. The Transmit Security CIAM platform delivers comprehensive, end-to-end customer identity and access management services that are easy to implement. With a complete platform, companies gain 360-degree digital identity trust, starting with the world’s first passwordless customer authentication solution to completely eradicate passwords.
 Gartner, “Emerging Technologies and Trends Impact Radar: Security”, Ruggero Contu, Mark Driver, et al, 12 October 2021.
GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.