Light Dark
February 21, 2017 By Guillaume Noé 4 min read
Identity & Access
CISO

I switched banks years ago. My former bank’s financial services and benefits were average when compared to other banks, but something in particular triggered my decision to switch. I had developed a bad online user experience, and especially a bad feeling about identity and access management (IAM).

The online banking website had some clunky functionality, a poor look and feel overall, and an unusual and annoying authentication function. My dissatisfaction developed from my first interaction with the app and it increased every time I logged in.

Online user experience (UX) is important, and it usually starts with IAM functions such as identity enrollment and access.

Integrating the User Experience With Security

A business I recently engaged with highlighted a common challenge across IAM approaches, which reminded me of my experience with my old bank. The context was about providing clinical staff with secure and convenient access to business applications from any device, anytime, anywhere. Business and security stakeholders had some different views on how to best implement strong authentication functions.

“We’ll need two-factor authentication,” the business stakeholder told me. “I’d like to use SMS codes, but nothing like Google Authenticator, which would require the staff to deploy an extra app on their mobile device. It would kill the [business] service adoption.”

At the stakeholder’s suggestion, I then discussed the matter with the company’s CISO separately.

“Yes, we’ll want two-factor authentication,” the CISO confirmed. “I don’t want SMS passcode. It’s not that well-rated anymore from NIST, and for good reasons. We should look at a [soft] token solution.”

The business stakeholder prioritized the usability and the security stakeholder prioritized the strength of the security controls. The different priorities are understandable, but they present a challenge of somehow converging the respective stakeholders’ expectations. This challenge is quite common with security projects, and especially with IAM.

Three Key Criteria of Identity and Access Management

The functions of IAM are implemented in many ways, in both enterprise and consumer contexts. For example, consumer identity enrollment processes can require different input from the registering users in content, format and steps. Authentication functions can also be implemented through a wide range of options that deliver different user experiences.

The convergence of user experience and security priorities is critical to enhance the IAM feel, boost user satisfaction and facilitate the successful adoption of online business services. A good way to manage the convergence issue is through the three key criteria of IAM — function, security and feel — with a set of guidelines to integrate them efficiently.

1. IAM Function

IAM processes simply do stuff. For example, the identity registration process creates new digital identities and credentials, which users can then use to access applications. The authentication process verifies a user’s credentials. When the verification is successful, the process creates a session and provides the user with access to an application.

The IAM functions require different levels of user involvement. They subject users to different experiences and provide different levels of security.

2. IAM Security

The key IAM functions of identity registration or enrollment, proofing and authentication can be rated on a security scale of assurance level. The National Institute of Standards and Technology (NIST) issued digital identity guidelines that provide a good reference on assurance levels: the Identity Assurance Level (IAL) and the Authenticator Assurance Level (AAL).

The assurance level is determined by the way the IAM functions are implemented. The higher the assurance level, the more is typically required from the users and the technology they use.

3. IAM Feel

Users such as consumers, citizens, staff members and business partners develop different feelings and experiences through their interactions with IAM functions. That experience can be critical to user satisfaction and to the successful adoption of online services, especially with consumers.

Related:

The IAM functions create a first impression ranging from good to bad that will evolve over time. For example, the frustrating online banking authentication experience that contributed to my decision to switch banks involved the use of a virtual keyboard to input a personal identification number (PIN), and the virtual keyboard changed the order of the keys every time. That type of frustration builds up.

In my experience, the IAM feel has not been given much consideration to date across industries. The IAM functions are still often delegated to security stakeholders, with limited collaboration or influence from the business side.

Balancing Convenience and Security

The following guidelines can help IT teams manage a balance of identity and access management function, feel and security for the best business outcome:

  1. Start with an application risk assessment and assert the required security assurance levels for IAM functions. Identify the technologies and process options available to achieve the target assurance levels.
  2. The IAM feel is valuable to the business. A better IAM feel can outweigh a different or more expensive IAM function if it contributes to better user satisfaction and better online service adoption, especially for online consumer services such as banking, shopping and citizen services.
  3. Collaborate across security, digital and business stakeholders on the IAM functions from the beginning. Don’t leave it to a user acceptance testing (UAT) phase for the business stakeholders to realize, very late, what their clients must go through to access apps. Some IAM technology platforms also make it easier to orchestrate such collaboration.
  4. Apply IAM UI and UX frameworks for identity enrollment processes.
  5. For access processes, avoid using passwords at all if you can. They are a total pain for users. Prioritize the use of biometrics-based methods where possible. Use mobile apps for strong authentication options — I’m a big fan of the push authorization mechanism. Consider offering users the option to select a preferred, strong authentication method if they want to. It’s a nice touch.
 |  |  |  | 
Guillaume Noé
General Manager, Pirean

More from Identity & Access
October 23, 2023

Taking the complexity out of identity solutions for hybrid environments

4 min read - For the past two decades, businesses have been making significant investments to consolidate their identity and access management (IAM) platforms and directories to manage user identities in one place. However, the hybrid nature of the cloud has led many to realize that this ultimate goal is a fantasy. Instead, businesses must learn how to consistently and effectively manage user identities across multiple IAM platforms and directories. As cloud migration and digital transformation accelerate at a dizzying pace, enterprises are left…

September 13, 2023

“Authorized” to break in: Adversaries use valid credentials to compromise cloud environments

4 min read - Overprivileged plaintext credentials left on display in 33% of X-Force adversary simulations Adversaries are constantly seeking to improve their productivity margins, but new data from IBM X-Force suggests they aren’t exclusively leaning on sophistication to do so. Simple yet reliable tactics that offer ease of use and often direct access to privileged environments are still heavily relied upon. Today X-Force released the 2023 Cloud Threat Landscape Report, detailing common trends and top threats observed against cloud environments over the past…

August 1, 2023

Artificial intelligence threats in identity management

4 min read - The 2023 Identity Security Threat Landscape Report from CyberArk identified some valuable insights. 2,300 security professionals surveyed responded with some sobering figures: 68% are concerned about insider threats from employee layoffs and churn 99% expect some type of identity compromise driven by financial cutbacks, geopolitical factors, cloud applications and hybrid work environments 74% are concerned about confidential data loss through employees, ex-employees and third-party vendors. Additionally, many feel digital identity proliferation is on the rise and the attack surface is…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature