Architecting Identity: Five Essential Elements of a Modern Customer Authentication Service

Rapidly accelerated digital transformation strategies over the last few years only cemented what digital identity architects already knew: identity is the perimeter. While protecting enterprise assets using identity and access management (IAM) is important, companies also need to address the applications their customers use. In 2021, the Federal Trade Commission[1] received 2.8 million fraud reports from consumers that totaled more than $5.8 billion in losses.

Digital identity architects want to modernize their authentication stacks for various reasons, including:

• Simplifying their architecture
• Improving security and fraud protection
• Reducing costs
• Accelerating speed-to-market for new capabilities
• Improving the customer experience (CX)

To protect customers, identity architects should use a FIDO-based solution to modernize their customer authentication.

Why CIAM isn’t the same as IAM

Customer identity and access management (CIAM) is purpose-built for customers who exist in the free world, an unmanaged IT environment. Traditional IAM, however, was built to manage internal employees, which means that the organization has control over connecting users to their real identities, birthright provisioning and device security.

Most organizations don’t have control over their customers’ access to digital experiences. When comparing CIAM vs. IAM, dedicated CIAM solutions address key differences that companies need to consider, such as:

• Balancing CX and security
• Enabling access via any device
• Providing omnichannel access, including offline channels
• Integrating consistently and uniformly across technologies
• Complying with privacy and data regulatory requirements

In response to these differences, digital identity architects are modernizing their authentication stacks. Many digital platforms natively incorporate some CIAM elements. They may have a built-in user store supporting password authentication, for example. Others are related to cloud-specific systems, like Azure AD B2C. However, the complex, legacy authentication technologies come with their own set of problems, like:

• Inhibiting the customer experience
• Lack of easy integration into websites, mobile apps or other channels
• Inferior protection against account takeover (ATO) fraud
• Remain vulnerable to credential theft via phishing, credential stuffing or man-in-the-middle attacks

Typical workarounds for strengthening customer authentication currently include:

• SMS or token-based OTPs
• CAPTCHA-type verifications
• Out of wallet questions

These controls are not impervious to attack and at the same time, they add complexity and cost to the authentication stack. In addition, they undermine the seamless CX that the organization is striving to provide.

Modernizing CIAM with FIDO

In response to cloud-based customer experiences, more focus has shifted to authentication. Modern authentication systems tend to be built around the FIDO standards of Web Authentication (WebAuthn) and Client-to-Authenticator Protocol (CTAP).

With these standards, FIDO provides more secure, multi-factor authentication (MFA) and offers the most robust passwordless option for a low-touch customer experience.

5 Essential modern customer authentication elements that FIDO enables

Enhancing customer authentication leads to more robust security, but any transition requires a certain amount of planning. Organizations that want to move toward FIDO-based authentication should begin by prioritizing the following five elements:

Enhancing customer authentication leads to more robust security, but any transition requires a certain amount of planning. Organizations that want to move toward FIDO-based authentication should begin by prioritizing the following five elements

1.Biometric authentication: Best authentication practices include MFA that validates at least two factors: ‘something you know,’ ‘something you have,’ and/or ‘something you are.’

Most mobile phones support FIDO-based biometric authentication — up to an estimated 80%, according to Statista. Mobile phones, laptops, tablets and desktops often incorporate fingerprint or facial recognition like:

• Apple FaceID and TouchID
• Windows Hello
• Android fingerprint or facial recognition

Customers can login to an organization’s website using their biometrics without the company ever storing the data. Some customers own a combination of FIDO-based and non-FIDO devices. When implemented correctly, FIDO-based CIAM enables these customers to use their FIDO-enabled device to login on their older unsupported devices.

2. True passwordless: Even with FIDO, many implementations still rely on passwords as a fallback method for account recovery. The organization’s user store maintains the password hashes and attackers often target them.

When appropriately implemented, FIDO-based authentication systems can completely eliminate passwords. Customers can recover accounts using:

• Another device
• One-time-password sent via email
• Magic link sent via email

Passwordless solutions enhance security in two ways:

The organization reduces its attack surface by not storing password hashes

The organization no longer relies solely on customer passwords that can be compromised

3. Passwordless portability: As users move across channels or switch devices, passwords lead to broken journeys causing frustration at every step. For example, if a company uses magic links, customers need to go through the following three step process when changing app or if they lose their device:

• Request link
• Open email
• Click magic link

A CIAM solution that supports FIDO gives customers the portability they need for a seamless experience. They simply open the application on their FIDO-based device or redownload the application to a new device.

4. Support customers without FIDO-based devices: Not every customer will have a FIDO-based device. And not every customer who does own a FIDO-device will enable its biometric capabilities. Therefore, companies need to find methods that still provide these customers with a seamless and  strong method of passwordless authentication.

In this case, using a passwordless CIAM solution that integrates with Auth0 can be useful. Customers can use a social media account as a way to securely log in to the application without having to remember additional passwords.

5. Integrate with existing user stores: While eliminating passwords throughout an organization is a positive, companies should take caution not to let the updated change negatively impact their customers. Smoothing the transition to passwordless for your customers is all about educating customers on the benefits of going passwordless and supporting them throughout the transition. Taking a full rip-and-replace approach is costly, from both a financial and human resources perspective.

As part of the planning, the organization needs to ensure that FIDO can integrate into the organization’s current user stores. For easy integration that offers rapid implementation capabilities, organizations should look for solutions that support the same authentication protocols as their existing systems. For example, a common, standard protocol is OpenID Connect (ODIC).

The future of customer authentication

Passwordless is the future of customer authentication. As digital natives become active consumers, they’re more likely to abandon a cart or leave a website if the experience requires a password that they’ve long forgotten.

The adoption of passwordless authentication by tech giants, such as Microsoft and Google, is just another sign of the growing momentum behind ditching passwords. Companies of any size can implement a passwordless solution like BindID — the industry’s only truly passwordless solution. BindID eliminates your greatest business risk — customer passwords — enabling seamless and secure customer authentication experiences across all channels and devices.

Ready to say goodbye to passwords? Learn more about BindID today!

[1] Source