Think You Know Your Customers? Try Authenticating Them

Uploaded on 2016-05-16 in NEWS-Cybersecurity News, FREE TO VIEW

Customer demands are increasing and changing at a rapid rate, forcing companies to adopt new technologies that scale with their business needs, especially security.

In the early days of online development, businesses had two choices for adopting a new service or solution: build it from scratch, or buy it from someone else.

The days of legacy “off the shelf” or “out of the box” technology are coming to an end, for good reason. Businesses can’t afford to rely on monolithic solutions that require expensive, extensive upgrades and customization services to accommodate new customer needs, especially when it comes to securing the accounts of your customers.

Thankfully, nearly anything a business could want is now available in the form of flexible building blocks: payments, contracts, communications, and infrastructure, and even security, are just a few of the areas that can be developed on accessible, scalable APIs. It’s no longer a question of “build or buy?”, but rather a matter of utilizing available tools to develop solutions that adapt to the challenges of protecting your users.

Consumers have countless profiles across several websites – banking, retail, social media and they don’t want to have to jump through hoops just to use your service. The challenge for businesses today is delivering that amazing user experience while reliably securing those same accounts in the constantly evolving security landscape.

API-driven two-factor authentication (2FA) can offset the weakness of passwords, while delighting your customers with a seamless experience that scales with your needs.

Passwords Aren’t Enough, and You Know It

There is a myriad of daily security threats: Malware, phishing attacks, and social engineering are just a few of the methods attackers employ to defraud users of their credentials. Even if users practiced good password hygiene, attackers can use a simple GPU to crack complicated passwords through brute force attacks within a single day. Unfortunately, that’s barely necessary anymore with the millions and millions of usernames and passwords that have been leaked or exposed.

Considering the recent, massive data breaches such as Target, Anthem, or the Office of Personnel Management, it’s likely your customers’ information is already out there. The average consumer will employ weak passwords that they reuse across several accounts. Worse, they probably won’t even change passwords regularly. It’s up to you, the business, to mitigate the ability of attackers to use that information against them, and your biggest challenge is finding a way to do that with the least friction possible.

Authentication Doesn’t Have to be Complicated

Previous efforts in enhancing authentication have focused on the addition of knowledge-based steps. These days, customers are often required to have their account information, mother’s maiden name, answers to random security questions, verbal passwords and more just to verify their identity.

However, through the right deception and impersonation, nearly anyone can gain that information and pose as a valid user. Adding additional knowledge-based steps may make it slightly more difficult for an attacker to succeed, but forcing your customers to input all of that information each time they attempt to access their accounts is a terrible experience.

If you have a mobile or online offering, your users have something in common: they all have Internet connected devices. Device-based, API-driven 2FA can reduce the log-in process to a simple text message or push notification.

Even tech giants like Yahoo are moving in this direction: in an ongoing effort to “kill the password”, Yahoo recently introduced the new Account Key feature to all of their users. The one flaw in this new 2FA experience is that it’s only available to Yahoo users. In an ideal world, every customer authentication process would be this smooth!

Fortunately, authentication services aren’t hard to find anymore, but when you research your options, keep the following in mind:

Avoid services that are tied to specific hardware or operating systems. You don’t get to choose how your customers interact with your business, and you’ll need authentication that works with not just your current channels, but any that arise in the future.
        
Look for scalable, affordable APIs that allow you to iterate and develop at your own pace. Up-front costs and heavy subscription models force you to estimate the impact on your customer base before you even start developing.
        
Do not build 2FA from scratch. Security technologies cost more to build, support and maintain than any other technology competency, and the stakes are so much higher if you don’t do it right.

For more on what 2FA and other authentication services are available, read this recent piece in ComputerWorld, “Multi-factor authentication goes mainstream.”

The Cost of Inaction

Perhaps worse than getting security wrong, is doing nothing at all. On top of compromising your customers’ accounts, a single breach has lasting ramifications for your business:

According to a 2015 global report from the Mobile Ecosystem Forum, lack of trust is the primary reason consumers do not download or use a mobile service.
        
In a 2015 Deloitte US consumer trust survey, 83% of consumers reported being aware of recent data breaches, while 59% reported that knowledge of a breach would negatively impact a purchasing decision.

Consider this: while your business debates whether or how to introduce 2FA to your customers, criminal sites on the dark web are mandating its use for black market transactions. The individuals who are buying your customer’s already-breached information on the web are securing their ill-gotten gains with a technology that most companies have barely introduced as a feature.

In the Age of the Customer, Authentication is Key

Forrester Research believes we are already in a period of “customer-obsessed transformation”, where “customers expect consistent and high-value in-person and digital experiences. They don't care if building these experiences is hard or requires a complex, multifunction approach from across your business. They want immediate value and will go elsewhere if you can't provide it."

As you build the next generation of customer interaction for your business, just remember that the only way to truly know your customer is through reliable authentication.

Infosecurity

« International Co-Operation: Challenges & Potential For Engaging In Cyberspace
Russian Hackers Try To Attack German Governing Party. »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

SBS CyberSecurity

SBS CyberSecurity

SBS CyberSecurity is a premier cybersecurity consulting and audit firm.

MadSec Security

MadSec Security

MadSec Security is a leading consulting company whose expertise are information and cyber security.

Raz-Lee Security

Raz-Lee Security

Raz-Lee Security is the leading security solution provider for IBM Power i, otherwise known as iSeries or AS/400 servers.

Workz Group

Workz Group

Workz connects and protects mobile subscribers of today and tomorrow by providing secure removable or embedded SIMs and remote provisioning solutions for consumer, M2M and IOT devices.

FirstPoint Mobile Guard

FirstPoint Mobile Guard

FirstPoint Mobile Guard has developed the market’s most advanced solution for securing cellular devices, including mobile phones and IoT products, by blocking malicious data leakage.

European Healthcare Fraud & Corruption Network (EHFCN)

European Healthcare Fraud & Corruption Network (EHFCN)

EHFCN is the only organisation dedicated to combating fraud, corruption and waste in the healthcare sector across Europe.

SystemExperts

SystemExperts

SystemExperts is a premier provider of IT compliance and cyber security consulting services.

Research Institute in Verified Trustworthy Software Systems (VeTSS)

Research Institute in Verified Trustworthy Software Systems (VeTSS)

The main purpose of VeTSS is to support program analysis, testing and verification, to achieve guarantees of software correctness, safety, and security.

Torq

Torq

Torq's no-code automation modernizes how security & operations teams work with easy workflow building, limitless integrations and numerous pre-built templates.

AdvIntel

AdvIntel

AdvIntel is a next-generation threat prevention and loss prevention company launched by a team of certified investigators, reverse engineers, and security experts.

Stacklet

Stacklet

Stacklet provides cloud governance as code platform that accelerates how Global 2000 manages its security, asset visibility, operations, and cost optimization policies in the cloud.

Halogen Group

Halogen Group

Halogen Group is the leading Security Solutions Provider in West Africa. Services encompass Physical Security, Electronic Security, Virtual & Cyber Security, Risk Assessments and Training.

6WIND

6WIND

6WIND deliver virtualized, cloud-native, distributed high performance & secure networking software solutions to support new applications such as 5G, IoT, SD-WAN.

Schellman

Schellman

Schellman is a leading provider of attestation and compliance services.

Jera IT

Jera IT

Jera IT provide fully managed IT support, cybersecurity services, telecoms systems, and IT strategy consultancy to businesses based in Aberdeen and the surrounding area.

Opal Security

Opal Security

Opal is an identity and access management platform that offers a consolidated view and control of your whole ecosystem from on-prem to cloud and SaaS.