The FIDO (‘Fast IDentity Online’) Alliance (an industry association) recently announced new standards in identity verification, adding to the security that online retailers can offer to their customers. However, these systems need to be customer friendly. Data shows that cart abandonment rate averaged 75.6 percent in 2018. This emphasizes the need for a frictionless customer experience.
Despite the numerous security benefits that FIDO can have for an online retailer, many online retailers choose to not implement FIDO Authentication since the issues caused through upfront authentication of a customer’s identity can lead to a lower customer experience, which can affect a company’s revenue. Yet choosing to not implement FIDO Authentication can lead to several security and privacy implications for consumers.
In assessing how to overcome this, retailers need to realize that there should not be a one-size-fits-all identity authentication process, according to Ben Goodman, CISSP and senior vice president of global business and corporate development at ForgeRock. Goodman discusses with Digital Journal how financial organizations can leverage this approach to deliver a superior user experience while addressing privacy concerns and adhering to regulations.
Digital Journal: How widespread are cyber issues for online services, such as retail?
Ben Goodman: In 2018, more than 2.8 billion consumer data records were exposed from 342 breaches for an estimated total cost of more than $654 billion to businesses. Retail was only targeted seven percent of the time, while 48 percent of incidents affected healthcare organizations — four times the number of breaches of any other industry. The massive amounts of sensitive personally identifiable information (PII) hosted by healthcare organizations make them a highly attractive target for cybercriminals.
However, online retailers should remain wary of cyberattacks as PII like payment card information, login credentials, addresses and more can be invaluable for a hacker that wishes to obtain unauthorized access to other accounts, make fraudulent purchases or even sell this data on the dark web. Disruptive digital businesses collect more PII in order to do things like personalization to improve the customer experience, however this makes those businesses enticing targets.
DJ: What security breaches have occurred due to credential stuffing attacks in 2019?
Goodman: A recent report from Akamai found hackers made 30 billion attempts at credential stuffing attacks in 2018. Users tend to reuse login credentials across multiple accounts and often do not enable multi-factor authentication. This, when paired with the raw volume of breaches that included exfiltration of credential information alone have made credential stuffing attacks a simple, yet easy way for threat actors to obtain unauthorized access to sensitive accounts in efforts to quickly flip the stolen personally identifiable information on the dark web or even steal an identity themselves.
In fact, Dunkin’ Donuts announced in February 2019 it had been victimized by its second credential suffering attack in three months.
DJ: What does FIDO do?
Goodman: The Fast Identity Online (FIDO) Alliance was formed in July 2012 to address the lack of interoperability among strong authentication technologies and remediate the issues individuals face with creating and remembering multiple usernames and passwords. The Alliance developed FIDO Authentication standards based on public key cryptography that is more secure than passwords, easy for consumers to use and simple for companies to deploy. FIDO Authentication enables password-only logins to be replaced with a variety of secure, yet quick login experiences across websites and applications.
DJ: Why is this form of authentication important?
Goodman: People tend to use the same email addresses, usernames and passwords across most personal, and even professional accounts. If any one of these businesses entrusted with this data were to be breached, a threat actor would be able to obtain unauthorized access to many other accounts belonging to that victim, even sensitive healthcare, financial and government related profiles.
DJ: How can companies secure data? How can FIDO be designed to be secure and hassle free for the customer?
Goodman: Retailers must realize that there is not a one-size-fits-all identity authentication process, and that these technologies are evolving over time with new authentication modalities introduced constantly. Unknown users should require elevated levels of authentication depending on the sensitivity of data they are trying to access, while known users should be fast-tracked through the buying process.
To introduce as little friction as possible, while still authenticating users’ identities with FIDO, retailers should leverage customer identity and access management (CIAM) strategies and build users’ profiles through progressively building profiles over time. CIAM utilizes adaptive security intelligence to allow organizations the ability to secure the identities of customers, devices, services and connected things. CIAM approaches can also leverage FIDO as well as a massive library of FIDO enabled authenticators to offer data-driven insight to allow businesses to continuously improve and secure the customer journey by measuring user login analytics, user interactions and devices used across services and apps.
As 87 percent of consumers will take their business elsewhere if they feel their data is not being handled responsibly, it is imperative to have some measures, such as CIAM, in place to protect customers’ information.
