To round out this blog series (Part 1 | Part 2), on the evolution of Customer Identity and Access Management (CIAM) , we caught up with OneLogin’s Rich Chetwynd, Director of Product Management, and Niamh Muldoon, Senior Director of Trust & Security, EMEA, to discuss what customer authentication could look like in the future and the possible security implications.
What are some of the forces that are going to continue to drive the need for a CIAM solution going forward?
I think security is always going to be the primary driver. Businesses online have exploded over the last 10 years or more and as the business scales, managing all the complexities and keeping current with the latest security best practices around the user login side of your application is a huge burden on your internal teams. Moving to a third-party CIAM solution means you can shift your focus to what happens after a customer logs into an application and eliminate a whole area of work that you have to maintain and keep current in terms of security.
As more businesses adopt MFA, they will need to make a decision on whether to overhaul the authentication part of their homegrown application or outsource user authentication to a provider that can enable them to turn on MFA more easily. This also puts them in a position to easily turn on other security features that they may want in the future instead of building and maintaining it themselves.
Also, we’re seeing a lot of acquisitions and consolidation of online apps and services. A result of this consolidation is companies wanting to enable users to seamlessly log in to the different apps under their umbrella, which drives the need for single sign-on between various consumer facing applications. Essentially, log in once and allow people to move between the different services without having to log in again. This is another example of an authentication-related decision that is driving the question of, “Should we be building this or should we enable it through a specialist identity provider like OneLogin?”
In what ways will logging into a consumer app change overtime? What could the experience look like?
It’s all about reducing the barrier to logging in. A common requirement for authentication and checkout, particularly in the retail sector, is to make it super fast to authenticate or register new users. In this case, it makes sense to allow customers to use their existing credentials with a major provider such as Google, Amazon or Apple to speed up the process. Basically, not having to create new accounts or additional usernames and passwords. It’s super easy for them to log into your shop and buy something as those providers often already have credit card information stored.
Businesses will also need to trend toward supporting passwordless login via a customer’s device, such as Google for Android and Apple for iOS. You want to optimize toward getting people to the payment page as fast as possible and getting them checked out, so anything you do around sign up needs to be really fast and efficient. For one-click sign up or one-click sign in, passwordless methods are all going to help achieve that.
What are some of the risks with the way customers currently log into consumer apps today?
The main risk is that many consumer apps today are designed without security and, therefore, it is naturally harder to add security into consumer applications at later stages such as develop, build and/or test. There tends to be a rush to bolt on security at the end just before go-live or even when the app is live and has been subject to a security-related incident or breach. Designing access control into your app from the start will support you in reducing associated risks such as unauthorized access, use, modification, disclosure and destruction to data/information stored within these applications. All these risks, if they materialize, result in a data breach which could have grave business impacts and consequences.
Secondly, there is a global shortage in cybersecurity skillset. Start-ups and small businesses find it hard to recruit these professionals so integrating with trusted service providers that can provide security services and expertise will strengthen defense and lower the risk of account compromise to an acceptable business level.
How might cyber attackers evolve their tactics to increase their effectiveness in account takeover fraud and stealing customer data?
A malicious attacker needs 3 components to be present for an attack to be successful - a means, a motive and an opportunity. Not having strong authentication in place provides them the means via a consumer application to execute their attack. The components to access control are: identification, authentication, authorization and accountability/assurance. A malicious attacker studies these components and plans their attack against them. Weak authentication is the main means for entry to gain insights on user behaviour and activities to then plan their attack next steps. It is at this stage that they use the assurance or accountability component to turn off alerting and monitoring so the end-user is not aware of fraudulent activities. Then, they proceed to execute their attack stealing data, including financial data. Once they have executed their attack, they use accountability and assurance steps to remove the trace of attack.
How will ongoing compliance and industry regulations impact customer identity projects?
Access control is a fundamental component to all regulatory and compliance requirements, ensuring only those who are authorised have access to the data from a security perspective and then validating that the data is only accessed and used for the purpose that it is needed to meet the privacy requirement. I think it is only a matter of time before these regulatory and compliance access control requirements mandate two-factor authentication for securing access and the use of enhanced multi-factor authentication to validate the end-user prior to the execution to high-privileges, such as producing a report of all customer contact information and downloading it.
What are some other insights you’d like to share?
I am seeing the global financial and banking industry making the most traction on this with enforcement of multi-factor authentication for online banking. This is the result of an amount of financial loss through fraudulent activity. I envision their next step will be transferring accountability from the financial institute to the individual, where if there is fraudulent activity executed on a debit or credit card via an online account (where the access control was considered to be weak before standard and/or wasn’t subject to multi-factor authentication), then the reimbursements will not be paid. Again, reiterating we all have a role to play in protecting our digital identity and partnering with OneLogin can keep your business moving forward and deliver quality services while balancing cost and risk.