Customer identity and access management (CIAM) is a major cybersecurity component of any company that maintains customer accounts. Online fraud and authentication attack attempts have grown significantly in the past several years, with attackers increasingly turning their attention to customers rather than companies. This can be seen, for example, in the finance industry, where attacks against customers now outnumber those on institutions or their employees by 4:1.
Protecting the safety of customers and their data is just one of the many reasons firms need to make CIAM security a priority. Other reasons include:
However, CIAM often has distinct requirements and priorities from authentication used by employees. Different approaches are required for a context where security can be more complex, and customer conversion can be won or lost depending on the customer authentication method used. Below, we’ll look at different types of customer authentication methods and how they rate in terms of security and customer experience.
A password is a string of secret characters that, in conjunction with a username or email address, is used to verify identity. It is considered a knowledge authentication factor in that the user must know the password in order to gain access.
Security:
Accounts that only have a password for protection are extremely vulnerable to attack. There are numerous methods attackers can use, such as brute-forcing, dictionary attacks, phishing and man-in-the-middle (MitM), to gain a user’s password. Attempts to improve password security by enforcing lengths or varying character types have also led to users committing severe security sins, such as keeping lists of passwords. Phishing techniques are very advanced and are often automated, which means attackers can steal the passwords of thousands of individuals at once.
Customer Experience:
Passwords have been used in computer authentication for more than 60 years. Though never very secure, passwords were popular as they gave the user control and were relatively easy to use. Now, however, not only have passwords become more complicated to remember but recovering a password is a regular and frustrating experience. This friction on the customer’’s end can cause them to become frustrated and choose another service provider or leave a purchase behind.
Magic links allow customers to log into accounts using a one-time use link sent during the authentication process. After entering their username, a URL link is sent either to the customer's email address or their mobile phone via text.
Security:
A magic link confirms a customer is who they say they are by verifying they have access to the email address or phone number linked to the account. Magic links are somewhat more secure than a password as they can’t be guessed or brute forced, but they can be easily intercepted or stolen. If a hacker gains access to a customer’s email account or text messages then they can take over any account verifying by magic links.
Customer Experience:
The concept is easy to use in theory as the customer only has to enter their email address or phone number and then click on the link that is sent — no passwords to remember. However, it assumes that the customer has quick and easy access to their email or smartphone, which won’t always be the case. From a conversion standpoint, it’s never a good idea to tell a customer on the verge of conversion that they should take their eyes off your site (and their shopping cart).
Two-factor authentication (2FA) requires a password plus another authentication factor, usually a one-time password (OTP). OTPs are unique passcodes that can only be used for a single login instance. The next time a user wants to access an application or website, they will need a different OTP.
Security:
After a customer enters their login details, the OTP is sent by email or to their phone by SMS. The customer then enters the code to complete the login process. OTPs are more secure than a password only, however, commonly available phishing kits have become adept at extracting these codes from users. In addition, the rise of SIM-swapping attacks, where attackers transfer a user’s number to a SIM they control, also renders OTPs highly vulnerable.
Customer Experience:
OTPs, especially those sent by SMS, are widely used to confirm a user’s “possession” factor of authentication, i.e., that they are in possession of a linked device (although many regulatory schemes do not allow SMS OTPs as proof of possession). They are fairly straightforward to use, however, they still require an additional action, on top of entering a password. Moreover, if delayed, they can cause frustration, leading users to request the OTP again and enter the wrong one. Essentially the system is asking the user to enter two passwords — one they’ve thought of themselves and one they’ve received — neither of which is a pleasant experience.
It has recently become widespread for users to access or create accounts with third parties based on their social media or Google account. This system is built on the OAuth protocols for allowing authorization between unrelated services, creating, in effect, a single sign-on (SSO) for mass usage.
Security:
For individual companies, this authentication method can be useful as it theoretically absolves them of any authentication responsibility. However, on a broader scale, it may be less secure for the user as the related account may only require a username and password, which can be easily phished, allowing the attacker to use that account to access many more.
User Experience:
So long as you are logged into the social media or Google account, then everything is quite simple. You click which account you want to use at the login stage, and everything transfers through. The user experience problems arise when you’re not logged in, for example, when on a different device. With your account being entirely predicated upon your social media or email account, you don’t have any way to access it without logging into them as well.
A CIAM system looking to verify a possession factor may request a user to “push” a notification on an app to verify they’re in control of their device. After a customer enters their password, they receive a notification via smartphone app. The user must approve the push request in order to access their account.
Security:
Though push authentication might seem relatively fool-proof, hackers launch push notification attacks, whereby they spam the user constantly until they give up and accept the prompt. Also known as MFA prompt bombing, such attacks have skyrocketed in the past year, fueled by easily available automated attack tools.
Customer Experience:
Push notifications are relatively seamless, depending on how they are deployed. The major user experience issue with them comes from the “push fatigue” mentioned above. Users can get quite irritated with constant rechecks of their credentials and being asked to push to verify.
Passkeys are more secure and easier to use than passwords. Passkeys are a standard-based technology that, unlike passwords, are resistant to phishing, strong, and are designed so that there are no shared secrets. Passkeys cannot be written down or typed in which makes it harder for hackers to trick users into providing their authentication credentials.
Security:
General consumer passkeys can be copied to other devices and shared. This makes them extremely easy for end user adoption but can increase the security concerns for IT and Security Team. They also do not satisfy the possession requirement under some regulations and are not currently recognized as an official form of multi-factor authentication under these regimes. However, signing in with passkeys is still far more secure than the above customer authentication methods.
User Experience:
Passkeys replace passwords, removing one of the biggest customer authentication frustrations and the biggest security risks. The user experience is familiar for customers as they sign-in to an app or website using the same biometric or PIN verification that they use to unlock their device. From the IT side of things, it’s a bit more complicated as any organization that wants to support passkeys needs a FIDO2 server.
True Passwordless MFA is built on public key cryptography and uses device-native verification technology. Similar to how passkeys work (both are based on FIDO standards), the user’s private key for authentication is not transferred during login but is only used to digitally sign for authentication locally. Unlike passkeys, however, it is device-bound and cannot be passed amongst devices. It is inherently multi-factor as it simultaneously meets both the possession and the inherence (i.e., something you are) factors of authentication.
Security:
Fully passwordless FIDO-based MFA, is one of the most secure customer authentication methods available. It can be thought of as a virtual hardware security key. It provides strong phishing resistance as there is no password, OTP or push notification for the attacker to hack. It stores the private key in the secure device TPM and does not transmit, share or sync it. Depending on the specific solution, it meets PSD2 Strong Customer Authentication requirements and other industry regulatory requirements.
User Experience:
True Passwordless MFA allows customers to securely sign in with a single authentication gesture. As a user always has their biometric features with them, it removes further friction with navigating to other accounts, carrying security keys or remembering a code. It also supports multiple verification options if the user is unable to, or chooses not to, use biometrics. This makes it the most seamless of the customer authentication methods.
Your CIAM processes are critical both from a security and customer experience perspective. Insecure or friction-laden customer authentication methods can lead to breaches, customer churn, lost sales, and regulatory fines, among other consequences. HYPR True Passwordless™ MFA reduces your customers’ frustration while improving security. To learn more, you can read about our customer authentication solutions here or schedule a demo customized to your business environment.