A recent PwC study found that 32% of the public will abandon a company after a single bad customer experience. What if that frustrating experience is your login? If you turn up the security measures too high, customers won’t bother navigating the hurdles to create an account or log in to an existing one. The flip side is if you dial the security down too far in favor of an easy login flow, malicious actors will take advantage of the fact that while the majority of people (91%) know reusing passwords is a bad practice, 66% admit to doing it anyway. Those numbers are courtesy of a study conducted by LogMeIn, makers of the password manager LastPass.
Login pages are often the first point of interaction between customers and the companies they do business with. Of course, that means those login pages are often the first point of contact for malicious actors, as well. For any company doing business online, there’s a line to walk between keeping data secure and providing a low-friction login experience for legitimate customers. Customer Identity and Access Management (CIAM) is the solution that allows for successful navigation of this line.
From a business standpoint, having too few security measures leaves you open to regulatory penalties should a data breach occur and the high financial costs of recovering from a breach, not to mention the damage to your brand that can extend far beyond the recovery period. Too much security can result in lost conversions when customers abandon the process due to friction. A strong CIAM solution lets you consolidate the onboarding, organizing, and managing of user accounts — all while helping mitigate the chances of a breach with defensive measures like Bot Detection and brute force protection.
User Account Flow and How CIAM Manages Each Stage
A robust CIAM platform provides you with an identity Single Source of Truth (SSoT). SSoT is a data organization framework that says it’s easier to protect data in one place rather than data in multiple siloed locations spread across multiple platforms (like on-prem and cloud). Beyond that, strong CIAM provides customers a single login window for all of your properties. Even if you’re expanding your presence and adding new tools and apps, users will only ever have to login once to access them all. CIAM provides similar ease-of-use solutions throughout the user account lifecycle.
When a new customer decides to create an account, they’re telling you that they trust you with their data and that they’re ready to become a customer. Rewarding them with easy, low-friction processes is key to showing them that their trust is well placed. A CIAM solution that offers multiple first-factor sign-on options, such as passwordless, biometrics, or single sign-on to create an account means they don’t have to create or reuse an existing password. This streamlines the customer experience while adding security by removing passwords from the login flow.
At this stage, automation is CIAM’s biggest benefit. Automated password resets, and the ability to combine accounts in cases where a person accidentally creates a duplicate reduces the backend workload on your team while keeping customer friction low. While such automatic password resets are one of the stronger benefits of a CIAM solution, it’s important to note that malicious attackers often seek to exploit these recovery flows. These attacks can be thwarted by having strong security in place that offers a range of protections, including Bot Detection and the ability to spot suspicious IP throttling.
Should a user abandon their account, you need a process in place that deactivates these accounts and eventually deletes them. This will prevent those credentials from being used in future attack scenarios, as well as keeping your user account database clean and free of dead accounts.
The Business Impact of Data Security
There are a variety of attack vectors available to malicious actors once account credentials are stolen. We go into more detail in a whitepaper on this topic, but what follows is a brief summary of the most prevalent of these vectors.
Credential stuffing attacks
When an attacker takes a list of breached credentials and runs all of these combinations through a login flow until they find a combination that unlocks the login box, it’s called credential stuffing. These attacks prove efficient for the attackers due to password reuse. Lists of breached username/password combinations are available on the dark web, making credential stuffing attacks a low-effort way to instigate a breach.
Business email compromise (BEC) attacks
Usually beginning with spearphishing emails sent in the guise of a trusted partner account, BEC attacks are targeted at busy executives with the goal of obtaining a money transfer to an account owned by the attacker. Once again, breached credentials often play a key role in these attacks.
Bot-based brute force attacks
Bot attacks can take several forms. Most often, they are automated credential stuffing or what are called swarm attacks: when a malicious actor uses automation tools to flood a site with traffic either to cause the site to crash in a distributed denial-of-service (DDoS) attack or to buy up available retail stock to inflate the price on the aftermarket.
The business impact of these attacks can be dramatic, ranging from the financial impact of lost business to increased churn due to customers losing trust in the business to long-lasting damage to brand reputation. For these reasons, finding the right balance of security and customer experience is a business priority.
Data Security Is a Moving Target
According to the 2020 edition of the IBM/Ponemon Institute’s Cost of a Data Breach report, lost business after a data breach averages out to more than $1.5 million per breach. That works out to approximately 40% of the total average cost of a data breach, which the same report puts at $3.86 million.
PwC has found that 87% of consumers will take their business elsewhere if they feel a company is not treating their data with due care. The takeaway is to be open and honest with your customers about your data use policies. After collecting their consent to use their information, tell them what you’re using it for, how you’re caring for it, and what your policy is regarding data destruction when you’re done with it. This transparency will go a long way toward mitigating these potential impacts.
Data security needs are in constant flux with changing regulatory requirements, evolving attack vectors, and increasingly data-savvy consumers. Auth0 research has found that 83% of apps in development will require authentication, yet only 58% of companies are availing themselves of the Identity-as-a-Service (IDaaS) option. Let our experts keep up with those ever-evolving security needs and handle what they do best, identity, while yours do what they do best, creating and enhancing your core product.
A company’s digital identity is of increasing importance in today’s crowded marketplace, and managing customer experience from the login page is key to creating the trusting relationships needed to thrive. If it’s time for your business to pay more attention to your access management solution, get in touch with our team of identity specialists today to start the conversation.
Auth0 provides a platform to authenticate, authorize, and secure access for applications, devices, and users. Security and application teams rely on Auth0s simplicity, extensibility, and expertise to make identity work for everyone. Safeguarding billions of login transactions each month, Auth0 secures identities so innovators can innovate, and empowers global enterprises to deliver trusted, superior digital experiences to their customers around the world.