Frictionless User Experience? Or Data Security? (Choose One.)
Don Peppers
Customer experience expert, keynote speaker, business author, Founder of Peppers & Rogers Group
(This article jointly written with Phani Nagarjuna , CEO of Circle Security .)
Rapidly advancing technology has dramatically improved the customer experience over the last couple of decades, streamlining every aspect of a customer’s interactions with a business, whether it’s using a mobile app to deposit a check or scanning a QR code to call up the menu at a restaurant. But technology has also empowered the activities of criminals and hackers, who regularly break into databases and make off with gigabytes of valuable data, while using phishing attacks to lure millions of unwary consumers into allowing spyware onto their own personal devices. The pandemic added fuel to this fire, ushering in a work-at-home economy that has magnified even further the security risks we all now face.
The conundrum for businesses today is that while trying to minimize friction in both their customer experience and their employee experience, they must also build increasingly effective security protocols into all these interactions, inevitably increasing that friction. To ensure safety with your data, a company must accomplish two fundamental tasks: It must confirm that a user is authorized to access the data they are seeking, and it must authenticate the actual identity of the user and the device in certain cases. To date, most organizations have relied almost exclusively on basic credentials such as user IDs and related passwords to authorize and authenticate users into their systems. But in many cases, to make remembering them easier, people would choose the same credentials for multiple accounts, which meant that when any set of credentials was hacked, the data could be used to unlock many different sites and the associated data assets.?
Anticipating this risk, one innovative online brokerage firm, Interactive Brokers, has always required its own new customers to choose usernames with a specific number of non-repeating letters and digits, to make it less likely that a user would simply recycle a username they already had. Doubtless this has increased the company’s overall security, but it has also added significant friction to its new-client user experience, generating frequent complaints from new customers and from the sales reps who were landing these new accounts.
As hackers have become more technically sophisticated, businesses have looked for ever more secure ways of ensuring the safety of their customers’ personal data (and their own corporate data). So today, in addition to usernames and passwords, many financial services firms and others dealing with highly sensitive or valuable data require that their customers confirm their own identities via some type of multi-factor authentication (MFA). MFA may involve asking about some bit of personal knowledge that only the user should know (What’s your favorite pet’s name? What was the brand of the first car you owned?). Other times, MFA might tie a person’s online session to a personal smartphone, email address, or mobile app associated with that person. Before you complete the login to your bank, for instance, they might ask you to accept a message via text or email with an authentication code. Yet another, still more secure form of MFA would be to ask for some sort of biometric ID – perhaps facial recognition or a fingerprint, usually delivered via your smartphone.
The result? More safety to meet this ever-escalating security threat, but at the expense of ever more time-consuming effort and friction in the user experience. Moreover, the steady onward march of technology continues, making it easier to hack multi-factor authentication tools , as well.
The problem, in short, is that the cloud itself presents a giant “attack surface” for hackers. After all, the entire value of the cloud is that it can be accessed and used by all, but anything that is accessible can eventually be hacked, with enough ingenuity, effort and computing power. One effective way to out-maneuver such hacking, in the long term, would be to avoid exposing the authorization and authentication process to the cloud at all.
领英推荐
Enter Circle Security , with their new Credential-Free Authentication (CFA) platform, explicitly designed to provide secure access to cloud data environments without the need for any credentials.?Using a decentralized architecture, Circle’s CFA presents zero attack surface in the cloud, and prevents all credential-driven data breaches from your environment, including those resulting from phishing, social engineering, credential-loss, etc. Circle’s CFA evolved from the premise that the cloud is inherently exposed and insecure, so any mere software token is still vulnerable to threats from computer viruses, phishing attacks, and “man-in-the-middle” attacks. Using standard public-key cryptography to generate software?tokens?eliminates some of this risk, but even this doesn’t affect one of their primary vulnerabilities, which is the ability to duplicate such tokens.
But Circle’s CFA has no centralized orchestration engine, eliminating entirely all the vulnerabilities presented by software?tokens, credentials, and even multi-factor authentication. CFA’s ability to protect access to the user’s data is based on something the user has (a mobile phone or other device with Circle key bound to it), something the user is (biometric scanning, both at the available OS level and within Circle), and something the user does (such as signing a challenge with?Circle keys that only the user’s devices have).
In a nutshell, Circle’s protocol:
The result? Circle’s CFA enables the user to switch browsers and devices in a frictionless manner, without the need to re-authenticate, without compromising security or privacy, and without ever entering or remembering any credentials. And given the state of security protections today, this should represent a dramatic improvement in the user experience!
-------
Don Peppers is an advisor to Circle Security, and Phani Nagarjuna is its founder and CEO.
I Help Coaches, Consultants, Speakers, Founders & Business Owners Upgrade Their Personal Brand
2 个月Don, thanks for sharing!
Chief Executive Officer, PTZ Zambia. Former Chief Executive Officer at ICTA, Sri Lanka. Former Group Chief Digital Officer, Sri Lanka Telecom Group. Former Group Chief Planning Officer, Sri Lanka Telecom Group
1 年https://www.dhirubhai.net/feed/update/urn:li:activity:7105528572571787266/