Frictionless Access Management - Myth Or Reality?
17 November, 2021, by Natasha Free
Vendors often talk about “frictionless” access but what does this really mean and is it possible?
We all want online services that are easily accessible. We don’t want too many difficult challenges or any access experience that takes longer than a few seconds. If the process is frustrating then a customer may abandon their attempt to engage and look elsewhere, or worse, attempt to circumvent the whole process!
Anything which makes life harder for an end user can therefore be described as adding friction to the process.
UX v Security
How do we handle the need for a frictionless user experience with the need to constantly verify that the user is who they say they are, or who we think they are?
Often, the answer to this question comes down to a number of factors:
- The level of risk the business is comfortable with
- The regulatory requirements that have to be meet
- The level of authentication that is acceptable
- The human factor
Whether you are providing a B2C or B2P service, it is absolutely critical that you know who you are engaging with and that you can continuously validate this. While constant validation may be cumbersome and painful, there can be times when such blockers are desirable. As an example, we are comfortable with the fact that our banks are constantly putting barriers in the way of our access and this gives us comfort that they are taking our security seriously.
Those barriers, however, have traditionally been things like tell us your password, again or give us the 4th and 6th characters of your teenage sweetheart's middle name. Remembering and storing all the credential or authentication information we need to go about our daily lives isn't just hard, it's impractical given the number of services we engage with.
So, it’s all about balance. Each organisation needs to find their ‘Goldilocks’ solution – not so easy it’s unsafe, not too hard that the user abandons all hope of ever getting in. This requires a tool with flexibility to adapt to changing authentication requirements within an organisation and the organisation to have very well thought through use cases.
Smartphones have revolutionised access management, but they are not the answer to everything. Believe it or not, not everyone has a smartphone. In addition, in all the years we’ve been doing this there have been some interesting use cases where smartphones are not allowed in the workplace – laboratories, financial institutions, government offices, and military sites spring to mind.
What about biometrics I hear you say? Again, this requires the user to have access to a device that is enabled for biometrics. Not all smartphones meet this criterion yet, and older laptops/desktops will likely lack the required hardware to support biometric verification. On top of that, we need to also consider whether adoption rates will be high amongst users. I can’t help thinking that analysts are being optimistic when they say that by 2022, 70 percent of organizations will be using biometric authentication for employees via smartphone apps. I’m not sure smaller organisations will be willing to take on the expense, or that users will trust organisations and devices to look after their biometric information properly.
Given all this, the adoption of FIDO2 compliant devices seems like a good alternative. These have the advantage of reducing the cost to the service provider and offering an easy alternative to password access.
FIDO is a set of open standards and technology focused on interoperability, providing strong authentication based on PKI (Public Key Infrastructure) for encryption and certificate management. The use of FIDO2 can be enabled as a passwordless means of authentication or as a second factor.
Although all new smartphones and PCs now have built-in FIDO2 platform authenticators, the user does not necessarily need one of these in order to leverage the technology. Any compatible device can be used as an external ‘key’ giving you portable authentication. This could be something as simple as a USB device. Of course, many organisations will want to limit what can be used and an effective registration process should allow the admin to limit devices to those that present only attestation certificates signed by a chosen authority.
If you want the functionality to appear seamless to the user, then there are new ways to lever machine learning to provide fully adaptive access. This can be as simple as setting up requests for step-up authentication when a user tries to access applications enabling “riskier” transactions or it can cover a whole raft of user metrics. This requires collecting and storing a lot of data, most of which will be classified as personal data, which comes with all the compliance requirements and the cost of securing access to that data. Is it frictionless? To an extent, but we will always need something for those higher risk transactions.
The key to a seamless access journey is preparation:
- Know your customer
- Know your use cases
- Have a great registration process that will allow flexibility later on
- Find a tool that enables multiple and adaptable authentication mechanisms
- Do not underestimate the power of change management and user education
Frictionless is always going to be subjective and businesses will always need to balance quality of user experience with security needs. However, in the real world, a ‘one size fits all’ approach is rarely optimal so it makes sense to invest in tools that offer flexibility coupled with alignment with a broad range of use cases.
That way you get more bang for your buck and your users are happy because they get to choose the best authentication option for them instead of being forced into using something they don’t want to.