Achieving Balance: Adding frictionless authentication with higher security for Customer Identity Access Management Systems

In today's digital identity landscape, organizations face constant threats attempting to harvest client information or gain access to applications that hold personal information. This challenges security and identity teams on any day but especially challenging is the customer identity access management (CIAM) system. The CIAM (customer identity access management) system is many organization's front door and commerce portal. It is imperative, and more-often mandated by industry and international laws to continue to harden these systems with additional layers of security, which sometimes incorporate more forms of MFA, or introduce external identity proofing systems to determine if a user is who they say they are, or a malicious actor or a bot.

Increased security and governance come with tradeoffs often in the form of reduced user convenience and complexity.

Many organizations are challenged to improve the user experience at authentication without sacrificing security which may cause frustration, increased help desk calls, and login abandonment.

Customer Identity Access Management (CIAM) systems must balance robust security controls without compromising user convenience. By archiving this, organizations can build trust with customers and foster a seamless authentication process. In this article, we will explore some strategies for achieving a better harmony between security and frictionless authentication with a modern CIAM system.

First, let’s take a step back to understand the threat landscape and regulatory requirements of securing identity information. This subject could be a whole bookshelf of information as these requirements are constantly evolving. Suffice to say that almost every country or region in the world has imposed some form of security mandate to protect their citizen's rights to privacy. Most governments have created auditable standards and any organization who does not conform to these standards or worse, suffers an information breach, can be fined millions and will almost certainly lose consumer confidence and its right to conduct business.

This is extremely crucial when information is stored containing financial or medical data. CIAM systems governing access to this type of information have further restrictions on how the data is stored, how long, and for what reasons, and in what format, and minimum level of additional safeguards are in place to prevent disclosure to unauthorized persons. Exploiting, selling and harvesting personal identifiable information (PII) is a lucrative business for hackers as databases of health information, credit card and government registration data can fetch large amounts of money. Even simple login information can be attractive as user and employee credentials can be derived to allow access to government and large enterprise systems to introduce ransomware and fetch further millions of dollars.

In this era of data breaches and cyber threats, it is essential to for Identity leaders to prioritize security when designing a CIAM system.

Fortunately, most identity practitioners are already implementing industry-standard authentication protocols, encryption, multifactor authentication (MFA), and conducting regular security audits to fortify the system's security. There are no ends of free and commercial authentication add-ons and platforms each boasting increased security. Many of these systems will affect the user experience in some way, can add complexity, and can introduce friction and frustration among some users.

To strike a balance, it is crucial to introduce frictionless authentication methods that enhance user convenience without compromising security.

Here are some strategies to consider:

Single Sign-On (SSO): Perhaps among the most effective is to allow access to many applications or services under one single sign-on experience. Implementing SSO allows users to log in once and access multiple applications or services seamlessly without additional prompts or credentials. By combining this with trusted identity providers, such as social media platforms as explained below or federated among other corporate directories eg. O365 GSuite, users can enjoy a seamless unified login experience without the need for multiple credentials.

Social Login: Working in partnership with Single Sign-on leveraging social login enables users to authenticate themselves using their existing social media accounts. This eliminates the need for creating new usernames and passwords, reducing friction, and enhancing user convenience. However, it is essential to inform users if social media information is being data accessed and assure them of data privacy. Modern OIDC authentication reduces any need to collect information about a user’s social media account and only passes minimal information to allow enough information to assure this is the same account.

Biometric Authentication: Biometric authentication, such as fingerprint or facial recognition, offers a convenient and secure way to verify user identities. Integrating biometric authentication into a CIAM system can reduce friction significantly, as users can access their accounts with a simple scan or touch. In the past adding this to web authentication required expensive hardware or asking permission from the user’s camera. New protocols from Microsoft, Apple and Google and their corresponding hardware devices (PCs, Tablets, and Phones) incorporate biometric authentication with FIDO2 standards. This, in effect provides two levels of assurance. Something you have e.g., the device or hardware, and something you are, e.g. your face or fingerprint.

We see a large population of users prefering tablet and mobile devices to access web information and as these devices are replaced and modernized with current versions consider adding TouchID, Passkeys and Windows Hello. to your authentication options.

Adaptive Authentication: Among the most advanced, adaptive authentication techniques can enhance the user experience while maintaining an elevated level of security. Adaptive authentication continuously collects various contextual factors, such as device information, location, and user behavior like when you normally login. Based on these variables the CIAM can dynamically adjust the authentication requirements. For example, if a user logs in from a recognized device and IP address, the system can provide a streamlined experience with reduced authentication steps where if a user is coming in from another country or through a terminal or alternate PC. This system can be used to detect account takeover and alert the user so it should be used in conjunction with a customer self-service portal to reduce alerts and helpdesk burden.

Progressive Profiling: This approach is simple but requires dynamic access to work with your authentication and registration flow. It works best when a client is signing up for the first time or is requesting additional access to an app or account. By requesting only the minimally necessary information during the registration process and gathering additional data gradually building a profile it helps streamline the user experience. Access is granted only when sufficient evidence or proof has been gathered and verified. Properly implemented the authentication experience will strike a balance between gathering relevant data and minimizing friction while allowing the user to continue.

Behavioral Biometrics: This is a whole field of biometric authentication that focuses on analyzing and identifying unique patterns and behaviors exhibited by individuals. Behavioral biometrics are often transparent, less intrusive, and more user-friendly compared to traditional biometric methods. Furthermore, behavioral patterns can be continuously monitored and analyzed during a user session, adding an extra layer of security by detecting anomalies or suspicious behavior as it changes.

Unlike traditional biometrics such as fingerprints or facial recognition which are based on physical characteristics, behavioral biometrics analyze how individuals interact with devices and systems to establish their identities. Various forms of information can be combined: Information from keyboards like typing speed, keystroke intervals, and pressure applied to the keys; mouse cursor, including speed, acceleration, and movement patterns. Individual interactions with touchscreens or gesture-based input devices are increasingly common from tablets and phones, like swipe patterns, tap durations, and finger pressure. When enabled voice characteristics such as speech patterns, intonation, accent, and pronunciation can be monitored during an interaction, or simply by asking the user to read a line on the screen. By combining multiple behavioral biometrics together to create a more robust and accurate authentication system.

Zero-Trust Identity: Perhaps the broadest and most dicussed identity term, zero trust (ZTI) is the application of architecture and decisions based on a principle that the device or person can never be implicitly trusted. This seems counter intuitive and it implies inflexibility but when applied in its strict definition and with proper application of technology it can be an effective and frictionless means for user login. NIST defines the term as “an evolving set of cybersecurity paradigms that move defenses from static, network- based perimeters to focus on users, assets, and resources.”  Zero trust focuses on treating all access requests from any point as though they should be denied regardless of the previous session or from contextually derived information like location or device. Access (or Trust) is granted dynamically as evidence from the user is gathered through the web interface or by other means. To implement a transparent Zero trust architecture a feedback of continuous authentication must incorporated much like adaptive authentication, but by introducing advanced systems rather than just device information. Approaches like behavioral biometrics and challenge and response type proofs are effective here. This area of identity is rapidly evolving and elements of AI and new technologies will be introduced making this approach the standard ensuring a secure but frictionless authentication experience.

In summary, balancing security and frictionless authentication in a CIAM system is a challenge, but with a well-designed approach can provide users with a secure and convenient experience. By leveraging strategies such as SSO, social login, biometric authentication, behavioral biometrics, adaptive authentication, progressive profiling, adding elements of Zero-Trust, an organization can enhance security while reducing friction. It is crucial to regularly reassess and refine the authentication process based on user feedback and study emerging security threats to maintain the delicate balance between security and user convenience in the ever-evolving digital landscape.