Consumer-facing identity systems are vastly different from those used by employees for network access
18 April, 2016
category: Corporate, Digital ID, Financial
Consumers are unpredictable. When it comes to accessing information online, they want easy and secure – and they want it their way. That means anytime, anywhere and via any device. Web site operators must be flexible because the need information from these consumers so they can better market to them and ultimately convert them into paying customers.
The struggle to enable consumers to access information easily and securely, while also giving web site operators what they want, is often at odds. Social logins and other federated identity models are emerging as “go-to” mechanisms to enable this, but there’s a battle being waged with corporate IT staff.
Forrester’s steps for properly implementing consumer-facing IAM:
- Create a process map. This details how the consumer would interact with the system from account signup to account deactivation including identity verification, device registration, password recovery and reset.
- Enable single sign-on. Let customers use social logins and federate access with SAML or OAuth.
- Think about scale and performance. Is the site having a sale? Is there a certain time of the month where more customers are accessing accounts? Take all of this into consideration, and make sure the system can scale to meet demand.
- Risk-based authentication is a necessity. Use IP-address lookup, device fingerprinting and session speed as additional attributes to authenticate a transaction in a manner that reduces fraud and friction.
- Biometric technologies are coming of age. Fingerprint on mobile devices are becoming more popular and the reliability of voice is improving.
- Collaborate with the business side. They need to understand why customer-facing IAM is different from employee IAM and that these systems can be a lot more complex than the ones employees use.
Corporate IT staff often think the same identity and access management (IAM) system used by employees to access services can translate to the consumer space, but they are woefully wrong, says Andras Cser, vice president and principal analyst serving security and risk professionals at Forrester Research. “The systems involve different technologies and different performance requirements,” he says. “Customer IAM is fundamentally different from employee IAM.”
An enterprise knows its employees and has vetted them, but customers are unknown, says Suresh Sridharan, senior director of technology and product strategy at Gigya, a developer of customer identity management solutions. “With a customer there is no cycle. They visit anonymously and over time you establish mutual trust as they provide more information,” he explains.
Employee and customer IAM systems also require different personnel during implementation. IT security is necessary to make sure either system is secure, but marketing staff must be involved to make sure a customer-facing system is usable and that the organization can obtain the requisite customer information, Cser says. Also, marketing is usually the department within an enterprise that is paying for a customer IAM system, he adds.
Enabling access
At a basic level both consumer and enterprise identity and access management systems enable access, but that’s where the similarity ends. The consumer side is about the experience and retaining customers while the enterprise side is about reducing risk, Cser says.
An in-house IAM system is owned by IT and the company can control the device that is used to access information, the web browser and authentication technologies, Cser says. “You don’t have as much control with consumer-facing IAM,” he added. “You can’t control the endpoint device or malware controls.”
With employee IAM the company can mandate use. But with consumer-facing IAM, if enterprises restrict devices or browsers or make access difficult, consumers will just leave
A company can try to limit the browser or other systems used to access a site, but it risks alienating customers if they don’t feel like switching browsers or systems. Likewise, if the site puts too many restrictions in place the consumer will just go somewhere else.
There’s also the question of scalability. Enterprises have a pretty good idea of how many employees will access different systems throughout the day, but consumer web sites need to be prepared for anything. If the site is launching a new video or having a sale it needs to be able to scale up to meet the necessary performance requirements, Cser says.
Privacy is another matter, Cser says. If a system asks for too much information from the start consumers might just leave.
“Customers are fickle, and they have unlimited choice. That means if your customer IAM is frustrating, your customers will just give up,” says Jamie Beckland, vice president of marketing at customer IAM provider Janrain. “Don’t ask for too much data from your customer right away, and don’t force them to jump through unnecessary hoops. Employees have much less choice – if they want to access their email they must conform to over-the-top security policies and draconian password rotations. If you ask the same from your customers, they will just abandon.”
In this age of the data breach a consumer’s information also has to be protected. Enterprises must make sure that all customer information is encrypted to protect them in case of a breach, Cser says.
Marketing leads the charge
The marketing department is the group within an enterprise that chooses the consumer IAM system, says Beckland. They are the beneficiaries of the data these systems capture and thus write the check.
“Typically, we see enterprises starting customer IAM initiatives with their marketing campaign experiences, typically to promote customer engagement through comments, voting, polls and social media,” Beckland explains. “These are quick to deploy, and enable enterprises to start collecting customer data right away. Then, you will want to expand to high-value points for existing customers; these include communication preference centers, support portals and product registration experiences.”
In the end it all comes down to connecting with consumers, says Sridharan. It’s a little bit of a dance, if consumers feel there is some value in what they get from the site then they will connect and register. But this takes time and consumers can’t be bombarded with registration at the start.