KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
The challenge is to offer user-friendly login procedures via social media accounts, passwords or biometric devices while securing and respecting personal data at the same time. This combination must be taken seriously to provide a smooth Customer Experience (CX) and to guarantee that every consumer can control the access to his personal information. Join this panel to hier the best practise advises of experts in the branch.
The challenge is to offer user-friendly login procedures via social media accounts, passwords or biometric devices while securing and respecting personal data at the same time. This combination must be taken seriously to provide a smooth Customer Experience (CX) and to guarantee that every consumer can control the access to his personal information. Join this panel to hier the best practise advises of experts in the branch.
Please welcome Wolfman of Swisscom and D C of I actually will hold sales banking world. I always struggling with, for our panel about the best ways to balance user experience and security for consumer identity management. And that aligns with talks. We heard for instance, from how someone already, it also links to back to my keynote I gave in the morning.
And I think it's, it's about one of the biggest challenges we are facing when do consumer identity solutions, because at the end, we need to have a certain decree of security, but security has a huge potential to, to annoy people have not done right. And to increase, drop off and term rates, which we obviously want to avoid. So what I'd like to ask the two of you is to quickly introduce yourself and maybe come up with a first initial statement you see around this theme of this panel. What do you wanna start? Thank you, Martin.
Yes, please. I'm in charge Viscom at AAM for the consumer domain, for the business domain and also indirect sales channels. I put or developed a vision with my team, putting that in place, and it's gonna be focusing on the identity and we want to make Swiss user-centric because I believe the idea such has a value and it's an enabler for much more business cross-sell upselling and the great new user experience, but it's also crucial for a good security that you, we leverage on the ID and all the means that come in terms of increasing security. Okay. Yes.
Thank you for having me Martin, I'm working as a customer journey expert at Y G wholesale bank. My job is basically to design and implement easy and secure looking and consent customer journeys for IGS corporate clients. And if I come off with a statement, I think I believe this CX is the new era is the, is where the battle fit is happening right now among especially among banks and offering the right balance between security and CX. The UX is always, it will be always a challenge, but I really enjoy working in this area. Okay. So thank you.
And so when we look at what ha what is happening today? So you come from a little different industries on one hand, the telco on the other hand banks. And I think everyone of us also has a lot of experience with all other types of industries, more or less in the daily life, from whatever renting or buying cars to eCommerce, to utility companies you have to deal with. And so I think that the good thing for the topic, in some ways everyone has some experience, but on the other hand, you, and to some extent, maybe also me, we are also experts from the other side of the story.
So we might have a slightly different look at some of the things we are facing than others have. So when you look at the main problems, what do you see as the, the major challenges today? D do you wanna start? Yes. I think the biggest challenge for traditional management solution is that many companies are still offering username and password for authentication I Health. Yeah.
And that's, I think at, in this point of time, it's not acceptable anymore, especially for critical sectors, such as banking we can say or telco in that case, or so I think we have to move away from username password very quickly. And of course, when we move away, the first solution comes into mind is multifactor authentication. That also has some downsides because, you know, for instance, for banks, this, it means in general, a card reader or, you know, a hardware device that you have to carry with you wherever you go, just to access an online banking platform.
And of course we see that it's slowly or it's quite, let's say it's it's. We see the transition from a hardware token to software solutions or mobile apps, let's say more generic, but still I think the transition will continue for a while. And another problem I see is for multifactor authentication, we always forget that the enrollment actually defines the, the security level of the multifactor authentication solution. So if you enroll for username password in the end, it's actually one factor that's not very well communicated. I think from the companies.
And I think users awareness are still lacking. That's What, what, what would, what would be your perspective on that? First of all, I share the views of Z and I'm just adding a few points, particularly on the, on the telco market, where you actually all market, you know, it shouldn't be a hurdle, right? Making it a cure, you increase the hurdle, which is not good in an online shift. If you want to have easy experience for the user, however, views also made the experience that silent login.
So a non-visible security measure is not good for the user as well, because some people might be concerned that their data is not protected. Even we do it in the background. So the idea is for me, is just above the right are slightly visible for the user, but really easy one or two clicks, and it's done. So that's where we should all working, but it's not easy, right? Password is one critical point. It can be forgotten, or it might not just be enough. So what I'm doing is trying to focus and, you know, putting the security in place where it's really needed.
One example using accessing TV on your mobile phone, there needs to be a certain protection, right? It's your recordings. And one should be able to delete them. The company wants to protect IPRs, for example, from the content that's our obligation. So we need to have a certain login, but we don't need second factor for that because I mean, what you see on the TV is publicly available. So no big worries, right? On the other hand, sensitive customer data there, you definitely want to have it. And there's what we're focusing on.
Multifactors of course, a way forward, but adding another perspective to what D said in the consumer domain, second factor multifactor is really a concern. Yeah. Is isn't it, that, that at the end, the one factor is, is very clear because what is the, the thing, especially in the consumer device, we don't have to deal with whatever data standard below the ground where don't have mobile phone access. But I think we can assume mobile phone access is, is pretty commonly available.
And then the smartphone is from, from my perspective, the logical, one of the logical factors, because today I think it's, it's more likely that people carry their smartphone around in their wallet, even. So the smartphone, I think it's for many, it's the first thing they check. Do I have my smartphone with me before they check for, for anything else? And so we would have one factor, which is which we then could complement with another relatively lightweight factor. Isn't it? That way? Correct.
And the beauty of it, if you're using the same device, I mean, I'm thinking about towards risk based authentication. So we know your device, you might be an iPhone user, an Android user, and we know which person of the software using. We know which browser there might be for just purely for Aion per, per, there might be a cookie in there. So we know it's you. And we also know what you're doing. So we kind of know a pattern. Then if 30 minutes after your last session, suddenly you want to access sensitive data with a device of a different manufacturer that we haven't seen it.
And the IP address comes out of south America or Africa. You know, I don't think it's logic that you've traveled that far within a few minutes, there might be something suspicious happening and we can cut before the damage happens. I think so by adding different things we know and pulling together that data just for pure authentication purposes, we, we are actually the user and we are making the world more secure.
And, and, and it is something many of us right now do in sort of the, every everyday life also on the sort of the employee access side, when you take whatever typical MFA experience in Microsoft office 365, or Microsoft 365 at the end, there's the device ID used. And, and you feel when you switch from one browser to the other, you feel, oh, I have to reauthenticate because the system is right now different. I had to switch the update from old edge, new edge grow match. And then you have exactly this experience. You have a relatively convenient what first factor.
So to be combined with something which runs in the background, what is your perspective on that? Yeah.
I, I actually have a complimentary view on this saying that actually up until now, it's currently, we are only focusing, mostly focusing on the initial authentication of the user and of the idea is to differentiate a gen user from the forest right in the beginning, but we don't really have a monitoring in place in most companies for the continuous authentication. So, which is in line with what Ralph also mentioned. So I think I will go one step ahead.
Let's say, I would like to see in the future, no login application, no login procedure at all, for the users, this will also have impact for perception of the user. And I think it'll evolve over time that people will, because we are so used to having a username password or a login application to lend in. You don't need that actually. Right. If you're a gen user. So if you go one step ahead, and if you have the right advanced analytics skills tools available, we can actually monitor.
Yeah, I think I get your point intro. We're breaking up a little by the end, but I think your point is we could get rid of, of every whistle loss case. On the other hand, I like the point of made few minutes earlier, which was, yes, we could do that.
In fact, I think what you said, but we need to be aware of that. The customer might, might be scared by that because it feels this is totally insecure.
So, so I think that might be a very interesting balance. We need to figure out maybe also a learning over time. So I think a lot of things change over time and I go back a couple of years, we spend a lot of time talking about why biometrics didn't take up right now. Every iPhone user uses biometrics. And for a lot of other devices, you also use di biometrics every day and people accepted it.
So it, it really might be a change of that. But I think that the, the, there are two interesting perspectives and I like both of them, but the intro, you also brought up another point at the beginning, which that the one thing is the, the, the recurring authentication. The other thing is the initial at the end verification, the delivery of the authenticators, which I think with every respect is a challenge and always has been a challenge. So sending out a hardware token more so always was a big logistics effort.
So, so what, what is your perspective then on the, on this sort of initial step from verification to, to setting up the way we authenticate them from their two Different approaches, the benefit in, in the business, usually you have a means to, to verify the identity or someone to vouch for, for example, if an ID is generated and we have a relationship with that client, then already, then there is a means to make sure that this person really exists more tricky on the consumer market.
So therefore I'm making sure that all the channels, when a new individual becomes a client, that we establish an ID at the very first step, because in the past, people had you, our phone access and their house, a bundle TV, whatever, and then IDs were added on later on. And it's kind of a nightmare to figure out which client and mix access. So which ID belongs together. It's a verification process, which is not normally understood by the user. But if you do that from day one, at least the pairing of the product that we sell to the logic ID, that's solved.
There's still the matter if there is a regulation compliance that you need to prove that the individual, the natural person behind who, who that is, and that this person really exists, but that's, then let's say step two. Okay. So let's in the interest of time, we don't have that much time anymore. And we probably could spend far more time for the panel, I feel. But so when, when you look at the, so to speak the dons of, of the things, so already brought up the challenge of using username, password, something, I also elaborated on, on like keynote, then there are captures.
And then there are sometimes these things where you need to say, okay, where do we have, or whatever, a red light or a car or something in these pictures. So from your experience, what is the worst thing of all these, these various approaches you, you could use? So which from your experience cares people away, most picture, do you wanna start short answer that in the, it looks like DTRA video starts working. So what do you wanna start?
Yeah, first time, it really depends on what I wanna do, where my level of things that happy to comply with or that I can bear with is right. So, but, but in terms of first experience, when a company introduces as a second factor, just a set of static figures, for example, which is nothing else than a second password. If you compromise the first you compromise the second. So what's the point. I know the captures can be annoying and I know the photo tens and so on is effort, but maybe I'm compromised personally. I can live with it.
If I know my data is secure, but it really depends on the user's perspective, whether you're protecting and then make sure it has a certain amount of value, basically. Okay. We had lost you. So maybe you rephrase or repeat your answer on that. Yes. I actually totally agree with Ralph. I think the biggest mistake that we as practitioners make is sometimes we are trying to create most safest or secure solution in the world for our clients, especially in the banking sector.
And we add multiple steps, which are, for instance, you know, we have these three factors, multiple questions for knowledge-based questions, or yeah, it can be multiple devices, even. So in the end, you need to think from a theoretical perspective as well.
You know, if you are really assured that you have a, a consistent and a secure factor in place, then you just need to stop there. And, you know, and you have to also always think from a user perspective, because in the end you might ruin the experience every day, for instance, for an operation specialist, trying to log to your banking platform.
So, so don't go over the top at the end of the day. And I, I also believe what is super important is provide alternatives. So having trust one way to do it never will be good enough for everyone you need to, to work with. So I think we need to have these options because there's not the one user with the one type of device.
So, so things work better for these users. Some work better for others. I believe delivering options is a very good thing. And there's nothing in regulations. If you look at PST two, there's nothing in regulations which inhibit you or prohibit you of providing multiple alternative ways as long as they are all good enough. So in the interest of time, we are very close to the end, maybe one closing statement from, from each of you and probably a best around, so one sentence around what is the business value of doing it right? And better than the commonly to it.
Do you wanna start then what, Yes. I think the, for me, the business value is very clear, but maybe some people might argue with it. So I think the first experience, the first impact that you create on the user is very important.
And, you know, so let's suppose that you have an amazing nightclub with amazing drinks and music insight, but the way you get into this nightclub and the way you, the, the way you interact with the security guard will really define your whole experience. So, okay. If you can create the best experience in the beginning, then the rest is, will be fine as well All your time. Thank you.
Yeah, of course you need to get in easy answer on, but besides the entry door, it's also the chance that if you know the user, you can help to boost the online shift, digitalization, Corona, just manufacturers, but it's a great way to, you know, deliver the same products with even better quality, with less cost and larger companies or ecosystems have the great chance of doing cross-selling upselling. If you know your customers, you might have your kids, you know, using, give them rights to, to, to use the service. They are happy to use it. They start putting their data there.
And so on as a telco, obviously the chance that over the lifetime of this person, once they move out, they already have a custom relationship. Whereas in the old world, they leave the, the home of their parents and we lose connections with them, right. And we have to acquire a person completely new on a competitive market. So am is the way to tie people to a company and to our offering and to the, the benefit and the experience we deliver. Yeah. Thank you. Thank you both. We already end of time. I think I maybe let's phrase it that way.
Verification, registration authentication always keep in mind. There's no second chance for first impression, if you do that wrong, you already failed. So thank you very much for thank you very much, D and back to any.
