Frictionless User Experience? Or Data Security? (Choose One.)
Illustration by Dall-E

Frictionless User Experience? Or Data Security? (Choose One.)

(This article jointly written with Phani Nagarjuna , CEO of Circle Security .)

Rapidly advancing technology has dramatically improved the customer experience over the last couple of decades, streamlining every aspect of a customer’s interactions with a business, whether it’s using a mobile app to deposit a check or scanning a QR code to call up the menu at a restaurant. But technology has also empowered the activities of criminals and hackers, who regularly break into databases and make off with gigabytes of valuable data, while using phishing attacks to lure millions of unwary consumers into allowing spyware onto their own personal devices. The pandemic added fuel to this fire, ushering in a work-at-home economy that has magnified even further the security risks we all now face.

The conundrum for businesses today is that while trying to minimize friction in both their customer experience and their employee experience, they must also build increasingly effective security protocols into all these interactions, inevitably increasing that friction. To ensure safety with your data, a company must accomplish two fundamental tasks: It must confirm that a user is authorized to access the data they are seeking, and it must authenticate the actual identity of the user and the device in certain cases. To date, most organizations have relied almost exclusively on basic credentials such as user IDs and related passwords to authorize and authenticate users into their systems. But in many cases, to make remembering them easier, people would choose the same credentials for multiple accounts, which meant that when any set of credentials was hacked, the data could be used to unlock many different sites and the associated data assets.?

Anticipating this risk, one innovative online brokerage firm, Interactive Brokers, has always required its own new customers to choose usernames with a specific number of non-repeating letters and digits, to make it less likely that a user would simply recycle a username they already had. Doubtless this has increased the company’s overall security, but it has also added significant friction to its new-client user experience, generating frequent complaints from new customers and from the sales reps who were landing these new accounts.

As hackers have become more technically sophisticated, businesses have looked for ever more secure ways of ensuring the safety of their customers’ personal data (and their own corporate data). So today, in addition to usernames and passwords, many financial services firms and others dealing with highly sensitive or valuable data require that their customers confirm their own identities via some type of multi-factor authentication (MFA). MFA may involve asking about some bit of personal knowledge that only the user should know (What’s your favorite pet’s name? What was the brand of the first car you owned?). Other times, MFA might tie a person’s online session to a personal smartphone, email address, or mobile app associated with that person. Before you complete the login to your bank, for instance, they might ask you to accept a message via text or email with an authentication code. Yet another, still more secure form of MFA would be to ask for some sort of biometric ID – perhaps facial recognition or a fingerprint, usually delivered via your smartphone.

The result? More safety to meet this ever-escalating security threat, but at the expense of ever more time-consuming effort and friction in the user experience. Moreover, the steady onward march of technology continues, making it easier to hack multi-factor authentication tools , as well.

The problem, in short, is that the cloud itself presents a giant “attack surface” for hackers. After all, the entire value of the cloud is that it can be accessed and used by all, but anything that is accessible can eventually be hacked, with enough ingenuity, effort and computing power. One effective way to out-maneuver such hacking, in the long term, would be to avoid exposing the authorization and authentication process to the cloud at all.

Enter Circle Security , with their new Credential-Free Authentication (CFA) platform, explicitly designed to provide secure access to cloud data environments without the need for any credentials.?Using a decentralized architecture, Circle’s CFA presents zero attack surface in the cloud, and prevents all credential-driven data breaches from your environment, including those resulting from phishing, social engineering, credential-loss, etc. Circle’s CFA evolved from the premise that the cloud is inherently exposed and insecure, so any mere software token is still vulnerable to threats from computer viruses, phishing attacks, and “man-in-the-middle” attacks. Using standard public-key cryptography to generate software?tokens?eliminates some of this risk, but even this doesn’t affect one of their primary vulnerabilities, which is the ability to duplicate such tokens.

But Circle’s CFA has no centralized orchestration engine, eliminating entirely all the vulnerabilities presented by software?tokens, credentials, and even multi-factor authentication. CFA’s ability to protect access to the user’s data is based on something the user has (a mobile phone or other device with Circle key bound to it), something the user is (biometric scanning, both at the available OS level and within Circle), and something the user does (such as signing a challenge with?Circle keys that only the user’s devices have).

In a nutshell, Circle’s protocol:

  1. Decouples authentication orchestration from the cloud entirely, thus leaving no attack vector for hackers;
  2. Restricts access to an authorized device with private keys bound to that device;
  3. Authenticates?the user’s identity via multiple factors while creating no friction; and
  4. Escalates to human-in-the-loop cryptographic verification when necessary (risk-based step-up authentication).

The result? Circle’s CFA enables the user to switch browsers and devices in a frictionless manner, without the need to re-authenticate, without compromising security or privacy, and without ever entering or remembering any credentials. And given the state of security protections today, this should represent a dramatic improvement in the user experience!

-------

Don Peppers is an advisor to Circle Security, and Phani Nagarjuna is its founder and CEO.

Rajeev kistoo

I Help Coaches, Consultants, Speakers, Founders & Business Owners Upgrade Their Personal Brand

2 个月

Don, thanks for sharing!

回复
Eng. Mahinda B Herath, B.Sc. Eng. Hons., MSc., C.Eng.

Chief Executive Officer, PTZ Zambia. Former Chief Executive Officer at ICTA, Sri Lanka. Former Group Chief Digital Officer, Sri Lanka Telecom Group. Former Group Chief Planning Officer, Sri Lanka Telecom Group

1 年
回复

要查看或添加评论,请登录

Don Peppers的更多文章

  • How to Personalize Your Marketing

    How to Personalize Your Marketing

    In study after study, personalized marketing has been shown to increase conversion rates, improve customer loyalty…

    4 条评论
  • Not Your Father's Kind of Marketing

    Not Your Father's Kind of Marketing

    Interactive technologies have now stood the traditional marketing discipline firmly and completely on its head. For a…

    2 条评论
  • What Does It “Feel Like” to Be Your Customer?

    What Does It “Feel Like” to Be Your Customer?

    This is the central question any customer experience professional must ask, when trying to understand the quality of a…

    8 条评论
  • Time to Personalize the Entire Customer Experience

    Time to Personalize the Entire Customer Experience

    For too long, businesses have been stuck at the surface level of personalization, adding a customer’s name to a…

    4 条评论
  • Should Elon Musk Sell 10% of His Stake in TSLA? Vote Now…

    Should Elon Musk Sell 10% of His Stake in TSLA? Vote Now…

    At 12:17 PM Pacific Time today (Saturday, Nov 6), Tesla CEO Elon Musk announced on Twitter that he would sell 10% of…

    6 条评论
  • Personalize Your "Unsubscribe" Option

    Personalize Your "Unsubscribe" Option

    The problem with most opt-in or opt-out email lists – probably with 90% or more of them – is that the marketer presents…

    6 条评论
  • The Central Role of Customer Data Platforms

    The Central Role of Customer Data Platforms

    Last night I stayed up all night, participating in a large enterprise’s company-wide launch event for its global…

    8 条评论
  • Customer Data: Should it Be Managed Top Down or Bottom Up?

    Customer Data: Should it Be Managed Top Down or Bottom Up?

    Because of the COVID crisis, businesses all over the globe have been scrambling mightily to cope with remote work…

    6 条评论
  • Six Ways for Facebook to Restore Trust

    Six Ways for Facebook to Restore Trust

    Facebook’s financial success is based on the enormous amount of advertising revenue it generates, but there are…

    6 条评论
  • And on the Bright Side...

    And on the Bright Side...

    Fifty-two years ago today, on January 20, 1969, I marched in Washington, during President Richard M. Nixon’s first…

    12 条评论

社区洞察

其他会员也浏览了