KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Despite compromised passwords being the leading cause of data breaches, most online businesses still rely on solely using passwords for logins. While getting rid of password authentication is desirable from a security standpoint, organizations fear that it is a costly endeavor that can also affect user experience.
Despite compromised passwords being the leading cause of data breaches, most online businesses still rely on solely using passwords for logins. While getting rid of password authentication is desirable from a security standpoint, organizations fear that it is a costly endeavor that can also affect user experience.
Good morning or good afternoon. Good evening. Thank you for joining this webinar. The webinar today is on how to get rid of the password and increase your safety affordably. And today's login here's webinar is supported by login radius. I'm John Tolbert lead Analyst for co Cole, and I'll be joined today by Deepak Gupta from login radius. So before we launch into it a little bit about us Cooper, and Cole's a international Analyst firm, we have three major business areas, research advisory and events, and we focus on three major areas, IEM, cyber security, and AI.
With regard to research, we have four major formats. We do our leadership compasses, which are big comparative reports on specific market segments, where we rate different products and provide a one page overview of each one. We do executive views, which are in-depth analyses on particular products or services. And we always end with a strengths and challenges.
Section advisory notes are research papers that kind of dive into a technology area, not necessarily about specific products, but you know, what are some of the, the things that are on the horizon and what do businesses and other organizations need to be thinking about?
And then lastly, we have leadership briefs, which are shorter papers that really cut to cut to the chase and talk about very specific technical matters and what do executives and it teams need to know to address those specific challenges on our advisory work, we do strategy asses, which are helping to get organizations, define their strategies, give them roadmaps timelines portfolio.
It's an analysis of the it, or IM cybersecurity AI portfolio that they currently have, where they wanna be, and then help them with the transitioning tech compass is requirements analysis, building up the use cases, defining the criteria. Then we also do tools choice or RFP shortlist, and then project compass, which is helping organizations to execute on those strategies and portfolio changes and technology sessions where necessary on the event side, we've got a number of events coming up. We have digital finance world of blockchain enterprise days coming up in September in Frankfurt.
We have consumer identity world also at the end of September in Seattle. And then again in October and Amsterdam, we have cyber security leadership summit and cyber access summit in November in Berlin, we have the cyber next summit, a cyber, another cyber security conference in Washington, DC in October, and then AI impact at the end of November in Munich. So for the webinar here, we will be recording in the slides. We'll be available tomorrow as will.
The, the recording everybody's muted already. If you wanna ask questions, there's a question blank in the go to webinar control panel. You'll see usually over on the right, and you can type your questions in at any time and we'll take them at the end. So I'll start off and talk about what we see as far as what consumer expectations are for authentication. And then what do businesses need specifically for consumer identity and access management, and then I'll turn it over to Deepak and then we will take those questions at the end.
So I wanted to lead off and just start talking about risk adaptive authentication. This is where we believe industry is really moving to for most consumer facing use cases. And we'll drill down into this in quite a bit more detail in, in the hour ahead here, but it, it really starts with an analysis at runtime.
It's, it's more than just an, an initial login. It has to be a, an intelligence service that's based on Intel that you receive around threats and various fraud intelligence subscription services. It has to be policy based so you can match the right level of authenticator or authorization process to the risk level. And then lastly, it really needs to be interoperable with your other IM solutions like identity governance, life cycle, and then SIM or security analytics tools. So what do consumers want? I think it's pretty clear.
We would rather not have to deal with passwords as I'm sure you're all aware. We see statistics all the time about how many data breaches are caused by guest passwords, hacked passwords and whatnot. So there are a variety of different kinds of authenticators out there, but like here in the center, this so-called security questions or knowledge based authentication. That's not really a good alternative to passwords. In many cases, it's much weaker, but you see, you know, you've got different kinds of hard tokens, different kinds of biometrics and app based authenticators.
What do businesses need for authentication probably first and foremost, they wanna minimize their fraud. So that means a transaction level analysis, wherever appropriate and, and really for every single transaction, if possible. And it is possible technically today, next we have regulatory compliance. Maybe it's not necessarily what businesses want, but what have they have to do. And in some cases like PSD two, it actually mandates strong customer authentication. And as I was just saying, it has to be risk appropriate.
And by this, we mean only introduce friction into the customer journey when it's needed. So you've all probably been on websites that, that require you to re-enter your password more often than you think is necessary. And it probably is more often than necessary because there are other technical means we can use to get a better sense or of the assurance for the, both the identity and the prior authentication event. There are security policies that can sometimes be over and above specific regulatory compliance requirements, especially for organizations that operate in multiple jurisdictions.
Sometimes companies will build security policies that are sort of a amalgamation of those different regulatory requirements. And may even in some cases be more restrictive or at least as restrictive as the most restrictive of the regulations they have to comply with ease of use.
It's, it's always important to make sure that regardless of what you have to do, it's gotta be somewhat user-friendly in order to maintain your business. And the better customer experiences really do yield more and frequent customers. And then lastly businesses have to be aware of there's a variety of tech in the field. A lot of times we'll talk about using phone-based authentic authentication options, but not every user has the latest model smartphone. So you can't necessarily build to whatever the latest and greatest is. If you want to be able to include your entire user base.
So on the, the risk mitigation side, we do this because cyber crime is takes an incredible bite out of revenue. In 2015, it was estimated globally that 3 trillion was lost on cyber crime. And that number is expected to double by 2021. Cyber crime is a growth industry, unfortunately. So what kinds of fraud do most organizations have to deal with? I think we can, we can start with four major types here, new account fraud. This is often where you, you hear about things like identity theft, people pick up PII and then try to register and get new accounts.
One nefarious use case for this would be, you know, steal an identity, create an account, create, or try to create a new bank account with somebody else's identity info. And then the cyber criminals will use that as a way to dump their yield gut gains from, from their cyber crime activities, and then get access to the money account takeover fraud. This would be exactly what it sounds like. Credential stuffing attacks, trying to get lists of credentials and, and hit various service providers to, to be able to access generally money.
I hear a lot these days about things like hitting frequent flyer programs to try to drain those accounts or other kinds of reward programs, then we have more traditional insider error or fraud, which is exactly what it sounds like. People on the inside trying to take money that they shouldn't be. And then also ATM transactions skimming still, still going on a lot out there on the trend side.
We, we do see many organizations that are moving away from just username and password. These options that we see in the middle will dive into in a bit more detail, specifically the mobile, the use of social logins, risk adaptive authentication solutions that take into account those threat and fraud, risk reduction kinds of technologies with the goal of achieving continuous authentication or risk adaptive authentication over time. And often this is achieved with multifactor authentication principles. So let's talk about mobile and why I think it's important for multifactor authentication.
Traditionally, we define strong authentication as two or more of the, either the something you have something you know, or something you are. So in the case of mobile, if you're using a pin, it's something you have your mobile phone plus entering a pin. So you get those two factors together or something you have plus something you are, would be mobile and biometrics. So let's look at some of the major categories of mobile authentication options that are out there.
You, we still see a pretty wide use of SMS OTP, deprecated by NIST and other organizations, but still pretty popular. It's where you get a, a text out of band. And then you say, enter that into the website as a second factor. There are some known security problems with that.
So that, that needs to go away too. Just like passwords. One thing I'm really excited about in 2019 is 5 0 2 has been ratified by the Fido Alliance. The fi web authentic specification has been taken up by w three C.
So no, that's a standard as well. And this allows for mobile or second factor authentication that can directly integrate with web-based applications too. So the plugin nature of the architecture makes it so that it's easy to choose different kinds of authenticators. The protocol, the exchanges are the same and the ability to integrate with the web is a definite plus. And I think that over the next, let's say two to three years, we'll see a lot more, many more websites will become Fido.
Two enabled mobile biometrics, that's touch ID, face ID, or the Android, or Samsung native biometrics, mobile push notifications. You probably see in these two, I tend to think of these more in terms of authorization. Let's say you've logged into your bank online and you wanna transfer $10,000. You may get a popup from your bank on your phone saying you is it's you, did you really mean to do this? Then you swipe to authorize it. That can also be an out of band. Second factor authenticator, same thing.
You try to log into a site and then you get a popup asking you to swipe, to authorize or authenticate. Lastly, we've got native mobile apps themselves, let's say using the SDKs and hopefully using strong security measures, like the global platform, trusted execution environment, secure elements on Android or secure enclave on iOS for key storage. So let's look at biometrics a little bit. Most everyone's probably familiar with fingerprint.
You know, it's matching the patterns in the fingerprint. It it's pretty good, pretty resilient, but what you may not know is it doesn't work well with all populations. So this is another case where generally companies need to offer multiple types of authentication, especially if you're gonna rely on something like biometrics, where, you know, in the case of fingerprint, it, it really wouldn't work well for everyone. Facial recognition. This is looking at a fairly limited number of spacial geometric points on the face and making a comparison from registration time to authentication time.
And there are several different ways that that can be interfered with, you know, if you, when you did the registration photo where you clean, shave it or not different types of cosmetics, and then even really simple things like wearing hats or glasses can interfere with the operation voice. There's two major types, text independent and dependent, a registration time. You may have had to say a particular phrase. And then when you use voice recognition for authentication, you have to repeat that phrase.
Other implementations allow you to essentially say whatever you want and analyzes characteristics of the voice. Iris recognition actually has the highest number of unique factors that can be analyzed 266 degrees of freedom. And one of the other big benefits here is the Iris doesn't change over time.
Whereas, you know, fingerprint or face or even voice can be subject to that. Then lastly, we'll look at behavioral biometrics and believe it or not, these can be highly unique. It's how you use your device. It could be keystroke analysis, swipe analysis on the phone, you know, how long you hover over certain keys and then also device specific information like geolocation, or, you know, what SS wifi SS IDs do you normally hang around?
If you're using biometrics, there are three key concepts to be aware of there's false acceptance rate, which is how many times can the wrong person log in illegitimately. And that's, these are often limited by the kinds of technology. So like with fingerprint or with face or Iris, it's limited by let's say camera resolution, and then the underlying software false rejection rate. We've probably all been there.
If we've, if we've used things like thumbprints that's how many times do we, as the legitimate users get denied access to our phone or to specific apps. So that's definitely a point of frustration and then equal error rate, usually where the false acceptance rate and the false rejection rate cross, and most of the time an offers the best trade off between usability and security.
I will say that I know that phyto Alliance has got a certification process and with regard to security and even self-reported, and in some cases, some independent testing of things like false acceptance, false rejection that could be published and you can look and look at the metadata for specific authenticators, and that can help you decide what's most appropriate for your business cases. Is there are a couple other things about biometrics there's enrollment threats.
This would be, you know, a wrong person obtains, let's say your credentials and goes to register and associate your biometric sample with their identity, the triad of confidentiality, integrity, and availability. In most cases, biometrics aren't secret our faces, our fingerprints really aren't secret. So integrity. The biometric sample is key in this case and local storage and comparison of the biometric snapshot to the registered sample is preferred.
And then lastly, presentation attack or live liveness detection to make sure that somebody's not using a photo or a mold, or even now I've seen reports of 3d printed molds can be used full biometrics, unless there are liveness detection elements involved in the authentication process. So I, I put together a quick chart just to kind of go over and, and you can look at these in the slides when they're available tomorrow in more detail. And if you have questions, let me know.
But just to summarize, I think in terms of overall value, you know, the best R FRR, you know, equal error rate, Iris Iris wins out on that as also with uniqueness, persistence and overall operational effectiveness fingerprint is pretty standard and it's, it's actually pretty good. I mean, it's like a, about the, the same uniqueness as a, a six digit pin in most cases, depending on the implementation. And it's pretty easy to use. So it it's right up there with a B voice on the whole is, is pretty good too.
Again, you know, if you have a cold or something like that, that can affect the recognition, but in general, much better than facial recognition. Behavioral runs in the background. It's surprisingly and incredibly unique and, and pretty easy to use doesn't really require much or really nothing on the part of the user other than to use the device. So it makes a pretty good measure for identity persistence over time, social logins. This would be, you know, using Facebook, Google, Twitter, LinkedIn, all those different kinds of social IDPs.
They can also be used for registration as well as that they provide authentication services. And definitely they're based on the good side they're based on standards like open ID or O IDC, and they're easy to use. So try to wrap up here on risk adaptive. This is where we systems look at a variety of different kinds of factors, such as geolocation, geo velocity and possible journey.
You know, can you can't log in from, let's say Argentina, and then, you know, two hours log in from Japan. So, you know, being able to put logic in the authentication solution that can, can track those kinds of attempts, geofencing time of day, then there's a bunch of device specific things that can be looked at like device IDs or maybe carrier information.
IM E I numbers, some authentication solutions will apply their own software fingerprint device, health assessment as whether or not the device has like a unified endpoint management client or mobile antivirus, or, you know, full on endpoint security. And what the status of that is. Then there's a variety of user attributes that can be written into policies, user history, user behavioral analysis, and then some other known compromise credential checks or fraud and threat intelligence that can be fed in and evaluated at runtime also for continuous authentication.
What we mean is just running those same checks, you know, and you can define, there are literally hundreds of different kinds of options that are available in authentication solutions today. So doing these checks over time, and as the risk score changes, you can write policy that says, okay, now that the risk has increased to a certain level, I do wanna introduce some friction. I may want to require a, let's say a mobile push notification just to make sure that, or, or to increase the likelihood that it's the right user on the other end of that transaction.
So to close it out here, which options do I think are best for consumer identity? Well, we, like I said, we've got a whole bunch of different ones that we started with, but there are security and usability concerns. And what I think are overall best for consumer are things like the Iris recognition fingerprint or, or mobile apps, and that would include push notifications. So at this point I will turn it over to Deepak from login radius.
Thanks, John. Hello everybody. My name is deep. I'm the co-founder and CTO of global radius. So John mentioned quite a bit about how security, privacy and compliance are important for cm. And at the same time, he also mentioned like how users can use the fingerprint or their erase scan or other components to simplify user experience and create social login. So I will walk you through some of the, the processes and practices on how the CI space, how the digital identity is modernizing and what are the, the new things coming in. So first trend that I'll be talking about is authentication.
So as we all know, traditional traditional authentication is being there forever in the industry, in the internet world, every using their standard login, such as email address and password, user, and password. And in last eight, 10 years, social login, as John also mentioned, it's getting there where websites are started to use social login to simplify the registration, simplified the authentication. It automatically creates the profile using Facebook login, Google login, LinkedIn login, or different different sort of login.
So these legacy authentication are very popular, especially on the web where most of the applications are designed for the, the delivered over the map on the internet. Now there is a trend that is happening all around the globe is mobile. So in the mobile era, user consumer wants to connect with the applications quickly. And at the same time, they wanna make sure that their information is secure. So a lot of trends are happening on the phone authentication side, where users are using their phone number to log in.
That gives them a unique identifier because mobile devices that unique mobile numbers are unique and users have all the information handy so they can quickly log into the applications. The second trend that is happening is passwordless authentication where user does not need to create any password. They don't need to remember any password. They can just use their phone number. They can get an OTP, or they can enter their email address us, and then they can get a link to quickly authenticate and login into the applications.
The third one that is getting most attention nowadays is biometric authentication. So in the biometric authentication, the facial recognition is very popular where the, the apple devices have face IDs. And then all these smartphones nowadays, they have touch ID, fingerprint ID, and then the voice logging that is happening mostly in the AI devices like smartphone, smart speakers, such as Alexei, Google home. So these kind of authentication are getting popular, where consumer wants the information quickly. They want to quickly connect with the applications.
And at the same time, it takes care of the security and privacy of their information. There is the, the quick stat on logins platform that we have ran in 2018, where we can see a clear winner in phone login, phone login is getting popular. 27% of the, the users who have used phone loging, their return rate is very high. Meaning that consumers are much more adaptive, adaptable to use phone login, and then password log, less login.
The people who are using password less login, they are returning to the website quickly because, and they don't need to remember, and they don't need to reset their password again. And again, social login is the third place. And then the strength login is decreasing because of the, the new modern technologies and trends happening in the technology.
So the, the key takeaway from the authentication trend is consumer expectations are higher than ever consumer want an amazing, delightful experience. And at the same time, they wanna make sure that their information is secure and it protects their privacy. So they are more higher likely to use the mobile authentication, biometric authentication. As John also mentioned, these are the, the key authentication trends that are happening to retain the customers and to attract more consumers to the applications.
Now, we'll talk about the, the fiction less authentication experience, how applications can deliver the, the fiction less experience on the registration form. Because as, as everybody know that in order to register to any application user, how to provide the information, they have to fill out their name, email, phone number, address, date of birth, different different information, depending on the applications. So how can we create a effective registration form? So users can quickly register to the application. They don't need to have a landing forms.
They don't need to have lot of, lot of information. One of the research that we did, 78% of the companies that using five to seven fields on the registration form, 26% out of them is five feet, 28% of them on six field and 22% that is still using seven fields. So if applications are using more than five or even more fees, it is hard for the consumers to enter the information and they, they won't be registering that's the, the higher scenario.
So the, the impact is very high to get a new user, to get a new consumer. If application like all the businesses they want to maximize the conversion rate, they have to have less number of fields, and they have to ask for the limited information that they need. So using the effective registration form, it will improve the, the registration, and it will improve the conversion rate from visitor to the registration registered users.
But the, the challenge for the businesses is they need the information. They need to identify the, the consumer. They need to identify who the, the consumer, what the information they have. So there is a, a right balance between consumer and businesses getting the information and at the same time asking the limited information. So that's where there is a concept called progressive profiling. So in the progressive profiling businesses ask the very basic information during the initial registration. So they ask just the email address or phone number.
And then as the user, as the consumer start navigating the application, they start getting familiar with the web application, mobile application, as they started to do their journey, then they build their trust and then businesses start asking more information. So in the second step, they ask for their full name in the third step, they ask for their date of birth or gender, or any specific information relevant to that particular company. So it's basically building the trust and asking the, the information, not in one step, but in multiple steps. So that's called progressive profiling.
So that way you can increase the conversion rate as well as you can remove the bounce rate from your applications. So the, the, the key takeaway from the frictionless experience, as we talked about for the, the better consumer experience and rate, you should ask for the less information. And if you still want to ask for more information, you can use the progressive profiling. There are some, some technologies out there where they can intelligently detect the information.
So based on the consumer's browsing history, their anonymous, anonymous information, anonymous location, and device, if they're using a tablet, if they're using an iPhone, or if they're any kind of mobile device, or if they're using a smart device, then the, the devices can intelligently detect the information based on, based on their user's behavior. And that way also, you can also improve the, the experience.
And one of another way in the social login, where user can connect with their Facebook, Google, or any kind of social accounts, that is another way to do the frictionless registration, where users can log in with their email. And then they would given an option to link with their social profile so they can link their Facebook profile. They can link their Twitter profile, and that profile that linking will gonna gather more information from their social media account. So the websites will have more information for the users to register.
So that is another way to provide the, the frictionless registration. Now, we talked about authentication where, how the users can authenticate, what are the different modern technologies they can use, how registration can be improved, how we can minimize the registration or ask the iterative information as the users are doing their journey.
The, the another key component for the, the user journey or the, the CIM is seamless navigation. So single sign is one of the key element for the, for the companies, for the businesses. And at the same time for the consumer, where most of the, the businesses have different multiple web application, multiple mobile application, they have consumers going to their POS terminal. Consumers are going to their kiosk. Consumers are touching their IOT applications, smart speakers, smartphones, and other devices.
So how businesses can provide that seamless experience across different devices, across different stack of places where consumers are going. So single sign on is very, very important for the consumer. So that's where, where businesses have to provide a cross device and cross browser single sign on. And once the user logs into one web application, they should let them into other applications related to the same brand. At the same time, they can also enforce the same login to their mobile application.
When the user goes to KIOS for it should quickly identify the user based on their previous information they have into their system. So user does not user don't need to need to enter more information again, and again, they don't need to sign in again and again, that is another way single signon is the best way to overcome with the frictionless experience.
So, in, in the summary, as the technology is evolving, consumer expectations are growing consumer won't. We can easy access, they won't frictionless experience. So you have to update your identity infrastructure in a way that can drive maximum conversion and retention. The new authentication methods are obviously the, the touch touch ID, face ID, password, less login. You can still use the, the email address and password.
Like you can still keep the legacy authentication and the new authentication methods like social login, and they can be used a combination with the existing existing login methods. Then the registration field have to be minimized. You can add some intelligence, you can use a platform that has more intelligence capability to gather some of the, the predefined information. So you don't need to ask that information to the consumer. And then the lastly is the, the single sign on experience where you provide the, the frictionless experience.
Then the consumers are navigating across multiple applications, whether in the online world or the physical world, they can quickly get their information. So they don't need to enter the information again, again. So in a summary, the, the whole experience for the consumer is simplified. And at the same time, they, consumers are confident that the applications are providing security and privacy in mind, and their information is secure on their end.
So that's, that's all for my end, John. Yeah.
And again, if you have any questions, there's a questions blank in the go to webinar control panel. So let's see what are the reasons for the return rate for phone log in is higher than the others? So the return rate for phone login is higher than the other legacy method is.
As, as we all know, like phone is becoming the new, like people are using phone quite a bit, like the, the usage of phone is going significantly higher than before. So phone is in their hand. And then every time when they, the consumers are connecting with the brand, they just use their phone login, or they just use their ID or face ID. So it is easier to connect and easier to navigate. So that is a reason, main reason return that is pretty high for the phone login. Yeah.
You know, I would agree. I mean, we've been talking in the identity industry for at least 10 years about how to get rid of passwords. And you know, now with the near ubiquity of, of smartphones, I think that's achievable.
And, and for the reasons you lay it out, Dak, I mean, it's, it's easier people have their phones. And, and then of course you don't have to use a password, you know, and, and the advice that we've all been given for 10 or 20 years is about don't use the same password for every site, make your password, you know, really long and cryptic, and therefore hard to remember, you know, let's, let's not the best security advice out there.
I, I think because if there are options and even though biometrics aren't necessarily perfect, or, you know, there, there may be other usability issues in certain cases, getting people what's easy to use as well as what's more secure, I think is what most organizations that have consumer facing aspect to them should be doing. Yeah. And as the technologies keep evolving, John consumer won't quick and easy access, they don't wanna wait. They don't wanna remember the password. They don't wanna forget, reset the password again and again.
So that makes it easier for the phone to work Well, you know, and as more users have more contact with internet enabled services through their phone, we all know that passwords themselves are difficult to enter on the phone. And certainly don't enjoy having to go reset a password using the phone channel. Right. Next question. Next question I see here is which login method is most secure.
So from the security point of view, I think the, the social login or passwordless login both are if you rank them in a stack order, because social login, it works on the, the old protocol where social providers like Facebook, Google, Twitter, LinkedIn, they have the credentials on their end and user just authenticate using that protocol and same in the, the password less login, because user does not have any password it's made as a name suggest it's a password, less login. So the, there is no password to see. There is no password to store.
So if you rank them in the order, those, those, those would be more secured ones. But the, the legacy ones like phone login, standard login, even nowadays the new ones like touch ID biometric. And then John, I think, I agree with your point, the, the new, the five, 2.0 gonna be another big one to have where the MFA would add good value to the standard login form login authentication. Yeah.
You know, like I said, I'm actually excited for Fido two because I think it has a lot of improvements. I think the web authentication specification really will extend the Fido paradigm to, to new territory, like simply web applications.
Whereas, you know, it was mostly either the U two F would, would work well for web applications, but UAF was mostly for other mobile apps, but 2.0, I think tries to synthesize that. And then you wind up with being able to use different kinds of authenticators, almost interchangeably because of that plugable architecture.
And to, to the question. Yeah.
I mean, I think I showed my version of most secure. I, I think if you're gonna do biometrics, you know, fingerprint is definitely a really good trade off between security and usability. If you're looking for a highly secure biometric solution, I think it's hard to beat Iris recognition and you're right. You know, impact social logins. You look at the major social IDPs out there.
You, you see that most of them are doing a lot of the stuff that I was talking about for risk adaptive. You know, they're looking at all those different factors in the background they're looking, you know, is this guy coming from the same place that he is come from before in terms of network location?
You know, they're, they're doing a lot of that stuff. That's kind of invisible to us as the end users.
So that, that adds, you know, a certain degree of identity assurance to accepting social IDP authentication. Yeah. So risk risk based authentication risk authentication is definitely getting pretty popular and a lot of new systems, they come with it like social, definitely come with it. All the cm platforms should come with it. And most of them has already integrated, like we have risk based already integrated into our solutions.
So if someone is logging in from a location and at the same time someone else is logging in from different location, it triggers that authentication that it triggers that action and risk factor, that there is something wrong with that account. Someone is trying to do the account takeover or someone is trying to do something unusual activity.
So yeah, those kind of MFA and risk based authentication mechanism, we gonna improve the security quite a bit. Next question I see is why are email and password login not as effective?
I mean, they are effective, but as the consumers are going more into the, the, the new devices like Mo mobile devices, tablet, smart speakers. So as the new new devices are coming in as the, the devices who don't like notice display devices are coming in, that is one of the key thing where users don't have the user don't wanna type anything. They just wanna talk to the, the device. They don't, they wanna do the fingerprint or face ID. So that is the main reason nowadays, if consumers are going more digital, then they don't tend to use email address and password. Yeah.
And then there's just the, the fact that, you know, all you have to do is go take a look at the, have I been p.com site and see, you know, a big list of all the different credentials that have been compromised before. So I, I think people are, are widely aware of the risks of username, password authentication, and if offered other alternatives that they perceive as more secure, as well as more usable, then they'd be happy to take those.
Yep, absolutely. To the next question, why is the return rate for lowest for email login? So I think that goes hand in hand with the previous conversation that we were having that because of the, the mobile usage, because of the new devices, consumers don't want use email address and password. Lot of time, as we talked about passwords are easy to forget. They have loan password. And when they, when the user forget their password, they just kind of abandon that site. They don't wanna reset the password and they don't wanna return to the application.
So it's the, that's the primary, main reason where return rate is pretty low for the email address password. Yeah.
You know, and as far as far as let's say, account recovery, or as a second factor, you know, getting a link in an email and clicking it, those are not terribly popular as well. Yeah. Yeah. Like every time user use the, the email address password, it is complicated. Consumers have like hundreds of different applications they use. And it is hard to remember. And lot of applications nowadays, they have like combination that you have to use like one case one letter, and it makes life complicated for the consumers to remember all these combinations of passwords from different applications.
Well, yeah. You know, and different password policies, like you're saying, you know, some sites will require, I mean, there are some basics like uppercase lowercase number, special character, but what qualifies as a special character, sometimes you have, you know, password managers or even, even in the browser, you know, you'll, you'll get a popup and you can't the auto generated random ones don't necessarily fit the policies and sites because there's so much variability between password policies and sites too. So yeah. Just leads to a pretty poor overall user experience. Yeah.
And even people use these password managers and travel stores. It, if the consumer use different device or different like different computer or tablet, it is again hard to get the same information on different, different devices. Right.
You know, I wanna go back just for a second to something you were saying about progressive profiling and, you know, that's something that I see a lot with different vendors and different customers that we talked to about, you know, progressive profiling, you know, capturing information from users a little bit at a time only getting what you need for each transaction. And then sort of adding that to your overall database is really important design consideration.
I was looking at some research last week, very freshly published about consumers now will abandon sites or even abandon transactions if they feel like the, the service provider is trying to collect too much information or they, if they're not sure of what that company's gonna do with that information. So, I mean, you know, we've been about a year past GDPR, we've got the California privacy law coming up, of course, you know, Canada, Singapore, various locations around the world already have pretty good privacy laws.
And, and I think there's an increasing expectation on the part of consumers that businesses are not gonna ask anymore than what's needed. And they're gonna treat their information a little bit better maybe than what it has been in the past. So that awareness, I think, leads to really making it very important for businesses who are designing or upgrading their, their customer journey experience to keep that progressive profiling principle in mind when, when designing their new sites.
Yeah, absolutely. A hundred percent agree. And that's what we have seen in our consumer base. All the customers we have, they use progressive profiling, definitely the privacy privacy laws are getting stringent and stringent. A lot of new privacy laws coming in and consumers are scared. Like why this website needs my information. Why do they need my data birth? Why do they need my gender? Why do they need a certain information from me? So asking the information when it needed, when there's a right time. And that's where consumers also feel safe.
And from the privacy policy and privacy compliance point of view, it is also safe that we are asking the information because it is going to be used into that particular segment or particular action that user is taking for the information that user is requiring. So it is, it is very, very important to have the progress profile. You mentioned the applications nowadays to, to make, to not scale the user and at the same time, take care of the privacy and compliance calculations. Yeah. Yeah.
I thought it was interesting to, to see that 35% number that they would abandon a registration or a board of transaction. If they feel like they're the, company's trying to collect too much information. I thought it was just me, but apparently it's a lot of other people too, about one and three.
Just, just one more point on that. I mean, really when you think about regulatory compliance, GDPR, especially it's in business' best interest to not collect that information.
I mean, we call that data minimization, so yeah. Don't collect more than you need for your expressed business purposes, because it reduces your liability for holding on to consumer PII as well.
Yeah, definitely. Yeah. And then these, all these privacy laws like GDPR, CCPA, and even other privacy laws, they say that, yeah, you don't need that. If you don't need certain information, don't ask and don't keep it. But businesses still do because they don't even understand.
And they, they think that they might need that information down the line. So they just ask that information up front, but that is a very risky, risky things to do. So yeah. Businesses have to aware and at the same time, consumers are also getting more educated because of all the, the breaches and all lot of reports are coming in.
Well, that's all the questions I see for now. So thank you, Deepak. It was good conversation today, too. And if anybody has any questions, feel free to get in contact with us and we'll make the recording and the slides available by tomorrow. Likewise.
Thanks, John. It was a good conversation and good to be here. Thank you. Okay. Well thank you everyone. And with that, we will close out the webinar, have a good day.
