Creating frictionless security 03 November 2021

Bert Vanspauwen, Partner at IBM Security Services, sat down with Efma's Kevin Spangenberg to discuss the constant tension between security and user experience. 

As I understand it, this Security Verify solution has been available for a long time, but primarily used internally by companies. What about the technology made it easy to adapt to consumer-facing products?

Bert: We have two sets of technology. One that is typically deployed on premise and in a customer data center environment. That product has been around for a very long time and there are many organizations that have deployed it. Then, under the same label, IBM Verify, is our cloud-hosted solution that offers – and goes a lot further in terms of different authentication options – a customer-facing solution. 

You start with a very limited understanding of the customer and then their journey evolves as you fill in their profile with more details. They start by creating an account and that just requires the basics like an email and password. You don’t want to ask 25 questions at the start and turn them away. But if they start looking at buying something, then you need a shipping address and all sorts of additional information. You want to smoothly grow as they continue to use your service. All of the capabilities are there as a SaaS product. 

We know that consumers have a wide variety of digital touchpoints in their lives. Could you discuss how customer experiences (CX) from other companies impact the type of digital experience a bank tries to produce?

It makes it more difficult. Before, if you had a good service or something people wanted to buy, you could get away with some front-end complexity. That is rapidly changing because we are so used to having this quick and easy way of consuming services. On social media you log in and everything is transparent, even if there is a lot of security behind it.  

As an organization, you really need to think through what type of experience you want to provide. Banking is typically through an online banking application where you can follow your account. Now, banks are using the trust they have created with their customers to become sort of the central platform from which to launch other services. They have your data and your information and are able to use that to be a middleman of sorts, offering a whole world of services. 

To become a services provider in that space is quite an interesting evolution, and it's all due to the fact they have developed this authentication layer and everything around it, so banks are saying, “Why don’t we capitalize on that and make it easier for you and transfer that information to whomever you want to consumer services from.”

Does this always become a question of balancing security needs with the desire to reduce friction in digital user interactions? How do you strike that balance?

Bert: The tool is definitely flexible enough to allow any level of authentication. The key discussion typically revolves around the risk appetite for the business. We work together to really understand the challenge from all angles. CISO’s see the risk and need to protect the enterprise. The business lines need to make sure they generate business and don’t scare away customers because things feel too heavy. Our tool can be whatever an organization needs it to be.

Finally, do companies – banks, financial institutions, insurers – generally take security as seriously as they should? Or do you believe there is still a long way to go in this space?

Bert: The risk to businesses is definitely growing. As we do more online, it’s easier for malicious actors to try to get involved. Banks in general have been working very hard on their security. They have been very careful and implementing multi-factor authentication. In many countries they have been frontrunners in increasing the security level.

Now, as services differentiate and attackers get more creative, there are other ways upstream to get into a transaction or an account. As more and more things happen in a digital world, and especially everything regarding money, it becomes more difficult to keep your security up to par.  

Consumer Identity Access Management (CIAM) is becoming more important. Banks have gone through a lot of it already but it is now really spreading throughout the economy. It is a very interesting topic to work on and it’s always about the balance between security and usability. Or as we call it, frictionless. 

Could you define what adaptive (or risk-based) access is, how it works, and what sets it apart from previous technologies?

Bert: If you look back at what was the standard in authentication – basically username and password – that has been around for a very long time and it is fundamentally flawed, meaning you have passwords on multiple sites and different password policies, which means that either we use one password across multiple sights or they make it so difficult that that we need to write it down.

With adaptive access control, there are a couple of things that come together. You have a multifactor authentication, which is where you use something else other than the password – something you have, something you know, something you are – and if you throw all of that in the mix you can go to a more adaptive access control, which means that we will validate or we will ask for the needed authentication based on where you are going or what you are trying to do. 

If we take a more commercial example, let's say that you have a site that sells services. If you connect to the site and you have been there before, there can be some customization based on the fact that you know the person. If you're not showing sensitive information like previous orders and banking data, but let's say that that person wants to do a transaction or wants to look at something they've ordered in the past. At that moment you want to scale up the authentication and you want to actually validate that that he really is who he claims to be. This is where you have adaptive access control. 

You don’t want a user to jump through hoops just to browse the site. However, the more he wants to do, and the higher the risk profile or type of action, it can be scaled up easily. For someone who wants to enter the HR portal to do a salary change, you need more security than someone who is just looking at the holiday calendar. It’s all about the balance between risk and security. 

(Note: Stay tuned for an interview with IBM's Adaptive Access expert in the coming weeks)

If you want to go deeper on CIAM, check out CIAM for Dummies, an excellent primer on the topic. 

Related Content

Walking the security tightrope in APAC
Death by a thousand digital wallets
RBL Bank: TAB based Account Opening
Bradesco: Digital Identity Project