Pirean was a proud sponsor of the FST Future of Security events in Melbourne (March 7) and Sydney (March 9). Guillaume Noé, General Manager for Pirean in Australia and New Zealand, had the privilege of hosting Think-Tank sessions on Consumer Digital Identity Management. The Think-Tank aimed at addressing the boosting of online services (web and mobile apps) adoption with efficient and attractive consumer identity management practices. The following questions provided a starting point to the Think-Tank discussions:
- What are the consumers’ expectations with regards to their online identity and access management?
- How well do identity and access management, time-to-market objectives and user experience currently come together for consumer online services?
- How to boost online services adoption through winning consumer identity and access experiences?
Noé was joined by the following two senior financial industry representative and guest speakers: Dr Chris Rathborne, Chief Digital Information Officer in Melbourne, and Phillimon Zongo, Published Author and Cyber Security Advisor in Sydney.
During the Think-Tank sessions, Chris Rathborne and Phillimon Zongo first introduced the subject of consumer digital identity management, respectively in Melbourne and Sydney. They shared their personal and their professional insight to the subject. They also reported the result of their individual research to a very keen audience.
The delegates who joined us, across 6 sessions, then engaged in a very open discussion. The subject of consumer digital identity management was very relevant to all the delegates on both personal and professional accounts. All delegates were web-banking users. They were all, but one, regular online retail shoppers. They all worked for organisations providing some consumer online services. They were all information security savvy. Most delegates agreed that we can now offer secure and password-less authentication solutions for consumers. A few delegates also bravely admitted having not changed their web-banking passwords for quite a long period of time – some of them for more than 10 years.
The following sections provide a summary of the key points discussed during the Think-Tank, most of which were brought by the delegates themselves.
Consumer Digital Identity Management
Managing consumer digital identities is about efficiently connecting people with online services such as web-banking or online-retail applications through web-browsers or mobile applications. Such connections typically involve managing key functions such as identity enrolment (i.e. registering a new user to the application), access (i.e. authentication and authorisation) and other functions such as password reset, change security preferences and terminate accounts.
A speaker, CISO, commented in his FST presentation on the relationship between Customers and Security:
- “Our customers expect us to be open and transparent on security, and to make security easy for them.” – “We have a role to demystify security to our customers”
- “Clients want to know how secure they are and they want options for security. They have their preferences for authentication.”
According to Phillimon Zongo and his research, businesses have a lot at stake in best managing consumer digital identities. Businesses can satisfy, dissatisfy, lose, gain and retain online customers depending on how they manage digital identities. Zongo refers to a 2016 McKinsey report highlighting:
- “the cost of consumer online authentication-related inconvenience”, such as through “security fatigue” due to password complexity and forced password resets, and
- the opportunity in increasing digital usage by up to 20% when the authentication is deemed “easy” by the consumers.
Chris Rathborne provided a captivating observation on the consumer demographics and the different appreciations and expectations people develop for security preferences based on their socioeconomic and cultural backgrounds. He first took example of his teenage daughter who will soon become an active online consumer. Her digital identity will soon be managed by a bank and by many other service providers. She was born in a cyber hyper-connected world where she openly shares online a lot about who she is and what she does. The notion of security is for her more of a transparent or a hidden concept. She doesn’t need or want to see security to build trust towards a service. She doesn’t want anything in the middle of her doing her online business. However, Chris brought another personal example referring to an Eastern European cultural background that he shares with his wife and the strong need to see security to believe it and develop a feeling of trust towards a service.
Consumers develop digital trust differently and they have their preferences.
Noé makes an analogy between using an online service for the first time and meeting somebody for the first time. People develop a first impression in both cases based on a wide range of signals. When people meet for the first time, this is about how they present, what they say and how they say it for example. Similarly, when consumers access an online service or an app for the first time, their interaction typically starts with an identity enrolment and an authentication and this is about how the enrolment and the access present, what they do and how they do it. The first impression can range from good to bad. The impression also develops over time and influences the way consumers adopt the service. For instance, some consumers may refrain from using a service more often if the access to the service is not great for them from the beginning. Digital identity management creates a first impression that influences the uptake of online services and apps.
Financial services providers rely on the efficient consumption of their online channels to satisfy their customers and remain competitive. Such consumption is subject to the conundrum of the secure user experience, which Zongo refers to as “efficiently balancing usability and security”. The challenge is about securing transactions well enough while providing a satisfying user experience from the first interaction a user has with a service. The following sections provide an extract of key input provided by the delegates during the Think-Tank sessions.
The double edge risk of the consumer security choice
Most delegates supported in principle the idea of providing some level of choice to their consumers and grant them the option to choose their preferred authentication method within some constraints. For example, some users could authenticate with a username and a password, a biometric or a SMS passcode at their discretion. They could also be less constrained with password policies (e.g. use weaker passwords and no periodic password change mandated).
However, providing a choice may come at some extra risk to the service provider and to the consumer. Consumers can make ill-informed choices, such as using weak passwords that could result in their accounts being compromised. Who is then responsible for the risk increase? Most delegates certainly believed the service provider was most at risk, on both financial and reputational accounts. During the conversation, certain delegates came to question their support for offering a choice. In one of the sessions held, the opinion of the group even shifted sensibly against providing a choice.
To put the risk of the security choice in perspective, Noé shared a personal story of his experience with his first Australian bank. The online banking website relied on a virtual keyboard, scrambling the order of keys every time, to input a web access code to authenticate. The bank probably thought it was a very secure option for their consumers. However, Noé found it very clunky and annoying. It was not easy to use. Security was an obvious challenging step in the middle of application access. Noé’s dissatisfaction developed from his first interaction with the app and the dissatisfaction increased every time he logged in. Noé later switched bank for better financial services benefits, and for weighing in the poor authentication experience he had had. That poor experience contributed in part to his decision to switch.
Security professionals should also consider what is the risk for client retention? The usability and the consumer feelings towards accessing applications cannot be ignored, because it can really have a business impact. Consumer Digital Identity Management can deliver a business differentiation when efficiently implemented.
Managing the extra consumer risk
User driven adaptive security
A delegate shared the idea to consider a user driven adaptive security model to better manage the extra risk incurred when providing users with security choices. The model would operate in a way that would explicitly show the user the trade-off of security with the scope of transactions authorised. The model would let users make their own choices based on the trade-off. Through that model, users can directly manage themselves the setting of usability vs security.
- Strong security & lesser usability: login with strong password and a second factor of authentication: can transact directly up to $20,000
- Weak security & better usability: login with a weak password only: can only transact up to $500
The discussion on the suggested model also included considerations for forced step-up authentications and leveraging user behaviour analytics as compensating security controls to other weaker controls (e.g. weak password).
Consumer security awareness
A common consideration came up from all the Think-Tank sessions we held. It was about the consumer security awareness and its importance when giving consumers further security choices. Are consumers well-equipped to make the best of their security choices in web-banking applications?
A delegate made an analogy with the driving license, which certifies a minimum capability to drive for the safety of the driver and the safety of everybody else on the road. Similarly, a concept of cyber license or “web-banking license” could apply. The following question came-up: “What is a financial services provider’s responsibility in raising cyber awareness to their customers?”. Would a bank enforce a minimum level of security awareness? Should they promote the subject actively? Would they offer some online training to their customers?
An idea of reward then came-up. The idea was about rewarding customers who voluntarily opted to undertake some awareness training and possibly an evaluation check at the end. The reward could include being allowed choices for security, receiving a loyalty program award voucher or a product discount.
User Behaviour Analytics
User Behaviour Analytics (UBA) was discussed at several Think-Tank sessions, as an additional security control and as a compensating security control to offer users flexibility and security choices. For example, a banking mobile application could rely on a short PIN or on fingerprint authentication and trigger an authentication step-up when deviating from a typical usage behaviour.
A delegate also shared a personal experience to receive a mobile banking app notification on his mobile phone while at an international airport in Australia. The mobile app detected the consumer was located at an international airport and automatically notified him with a message along the lines of: “Heading overseas? Would you like to enable the overseas travel feature?”. The feature enabled some security constraints. The delegate reported a very positive user experience with the function. It seemed like he had felt being looked after through it.
Privacy considerations were also discussed when collecting and processing user behavioural data.
Devices, such as mobile phones, tablets and laptops are an important part of consumers’ digital identities. Consumers may perform regular web-banking operations from multiple devices, and they may use a new device occasionally. A delegate reported his experience with a South African bank, which also sells “smart devices” to their clients (as a reseller), and would have implemented a comprehensive device linking management and verification solution, which limits the access to banking services from “unverified” or irregular devices and which importantly provides a very good visibility of all transactions to their consumers who can promptly identify and report fraudulent transactions.
It is critical to efficiently manage consumer devices to improve security and offer a better usability.
Delivering secure and good user experience altogether
Financial services providers have embraced Customer eXperience (CX, or User eXperience – UX) as a focus for digital transformation, a business differentiation and a critical element to their customer engagement, satisfaction and retention.
In Australia, reports of financial organisations that are leading consumer app security discussions, innovation and design activities through a CX/UX leadership, instead of a security team leadership, are increasing. Heads of CX are also now reported to engage directly with some security vendors to discuss first-hand the options of experience through security.
A speaker, CISO, commented in his FST presentation that “The role of security is to provide the business with a self-service and agile security, and to monitor it.”. In the context of Consumer Digital Identity Management, the role of the security team is becoming more of an internal support and guidance to the CX and business teams who are leading the functional security discussions.
A delegate from a large bank shared with one Think-Tank group the close collaboration that has developed between the CX and the Security teams. The collaboration has been a key to enable the convergence of usability and security for the bank’s consumers.
Noé shares further thoughts on the subject in a recent article: The feeling of digital identity management.
Speakers, FST Security, Consumer Digital Identity Management
General Manager, Pirean Australia & New Zealand
Gui is a Cyber Security Advisor with a passion for Identity and Access Management, Customer eXperience, Security, Privacy and Technology in both business and personal contexts.
He is the General Manager for Pirean in Australia & New-Zealand. He leads Pirean’s business development in the region with a focus on securely connecting people and technology while providing great user experiences.
Gui’s experience in IAM & Security also includes: IAM core product development (IBM R&D Labs), Security & IAM solutions delivery (IBM Services & Queensland Treasury Corporation), Cyber Security & IAM Strategic Advisory (Deloitte Director) and General Manager for Telstra’ Security Consulting Practice. He is also a keen presenter and blogger on Security at guinoe.com.
Chief Digital Information Officer, Insurance House Group
Chris began in the financial services industry before moving in to eBusiness and have been covering the digital space for some time now. It all started with the Vic 20 and Commodore 64 where he learned to program and developed a love for technology.
He has worked through the ranks of a couple of the major insurance businesses while the first websites began to emerge and develop online insurance commerce propositions. He managed to surround himself with some of the most interesting and innovative thinkers from all over the world and some of the best educational facilities, he became a natural innovator. One of his biggest educational achievements was completing a Doctorate of Information Systems and his paper delivered on the impact of Social Media on modern consumer choice.
An opportunity arrived when he got the chance to build a new digital team at RACV including strategy development and execution and a major $18m project to develop RACV’s Membership Online portal from the preparation of the business case, vendor selection and project management. He selected a first-class digital team to work with who were together for 7 years. While running this major project to give 2 million members access to online products, he has also developed many mobile strategies, applications and websites using many digital technologies and new innovative ways to deliver content across multiple platforms.
Since May 2016, Chris joined Insurance House Group, one of Australia’s largest privately owned insurance brokers. He is now overseeing not only the group’s technology operations, but also the marketing and the analytics teams. Working with the new group, Insurance House is pushing forward on DevOps and Agile in an environment that is bringing together a number of key parts of the business under the Technology hat to deliver on services to the business and customers.
Senior Cyber Security Consultant & Published Author
Phillimon Zongo is a Senior Cyber Security consultant. He is the winner of the ISACA Sydney’s first ever Industry Best Governance Professional 2016, a recognition for the thought leadership he is contributing to the technology risk and cyber security profession. Phillimon’s thought leadership on cloud computing, artificial intelligence and robotics have been published in the ISACA International Journal, distributed to more than 180 countries. He has more than 12 years of technology risk consulting experience, advising senior business and technology stakeholders on how to manage critical risk in complex technology transformation programs.