KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Customer registration, identity verification, and multi-factor authentication are all critical to reduce fraudulent activity and protect your customers’ identity data. However, they don’t offer the same warm welcome as an instore employee. Join this keynote presentation to learn how to seamlessly convert, engage, and manage millions of customers online—without sacrificing security.
Customer registration, identity verification, and multi-factor authentication are all critical to reduce fraudulent activity and protect your customers’ identity data. However, they don’t offer the same warm welcome as an instore employee. Join this keynote presentation to learn how to seamlessly convert, engage, and manage millions of customers online—without sacrificing security.
So at Akima, we have created a, a global edge network that helps deliver content and media health protects websites, users, and consumers ensuring engaging web experience for millions of people around the globe and working with, with some of the biggest brands on the planet. But the pandemic has created a consumer adoption of digital channels, like online shopping, home delivery, and telehealth, with 30% of consumers planning to shop more online in the future. As the world adjusts to a new normal brands must create the high quality, scalable online experiences that consumers demand.
But the thing is we really enjoy physically going into our favorite jobs because they treat us like this. This is what creates loyalty. This is what will encourage repeat purchases and get us to remember recommend them to our friends. This is what creates trust and gives us that sort of warm, fuzzy feeling inside online.
However, many of our experiences are like this constantly throwing hurdles in front of us to validate and verify who are you? What is your password? Are you a robot, et cetera? What we need to do is make the online experience more like the physical experience. So let's dig into why that shop is important to you. Is it the price? Is it the value, the choice, the customer service, or just being there?
A good sales assistant knows when you are browsing, when you need help, what additional things you may need when you are a frequent customer, they're able to tailor that experience even more, but security is still important. The shop still need to make sure that product doesn't walk out the front door tucked underneath someone's jacket or at the back door due to a disaffected employee. But the security is normally in the background. So why do websites have all these visible blockers and the shops don't?
Well, obviously crime is much easier on the internet. You don't have to get outta your pajamas. You can hit lots of places all over the world, all at the same time. And the payback can be much, much higher, but the criminals aren't always after the stock, often the identity of your consumers is much more valuable. A username and password for a popular e-commerce site can go from between 10 and 20 euros.
If you have a thousand of those credentials, which are not that hard to come by, if we think of the credential breaches and password reuse that we know is prevalent today, then you can see that this is easy money, especially when compared to the physical alternative. So this is why websites put up all these blockers to try and put off deter, confuse, or delay. The attackers. The end result is that you may have put off the attackers, but you have an unusable website. So we need to find a medium, a way to balance the necessary security against the customer experience.
So how does this affect the CX? How does it affect the trust in our brand? When we try to do business with them, we are bombarded with riles and click here to prove on the robot. The point is, as a vendor, you should know who the customer is. The customer shouldn't have to prove that. And that's where we go back to trust.
So I'm sure you've all seen this quote before, and it gets rolled out quite frequently, but I think it's very important, especially when you look at a recent survey by P C I P L, where they found that a significant 74% of UK consumers surveyed said that if they were aware that an organization had been the subject of a data breach or hack in the last 12 months, they wouldn't shop with them.
This feted season 74%, almost three quarters were concerned about going with an organization because they'd had a breach this year and that's a huge amount and then could have a significant effect on somebody's brand. However, I prefer the Mark Carney quote of trust, rise, and foot and leave in a Ferrari. But if we treat our customers, so if we trust our customers, why do we still keep challenging them when they want to do business with us? Because there was defined process by which ATO or account takeover happens.
This isn't the only way we can talk about Phish again, social engineering as well, but that's for another talk. And we can analyze the five common steps of the fraud kill chain that leads to ATO or account takeover. So the first one is reconnaissance, and this is where we find a suitable website that people would like to buy stolen accounts for. We then purchase a large list of previously breached usernames and passwords that can build a suitable source repository. Ideally they would be from a, a similar vertical as they have a high hit rate.
You know, commonly though a rate of 1% is not too far off the mark. And so if you have a hundred thousand usernames and passwords, which is relatively easy to find, then you may expect 1000 of them to be valid. Why does this work well? How many passwords do you have and, and work it out from there. The next part is weaponization. The next stage, this sort of stage is putting the tools together to try out all the user names and passwords against our target site. We need to be stealthy and hide our tracks and not be too obvious.
Fortunately, there are plethora of tools that are easy, that are either free or available for a small fee that can provide you with all the apps and proxies that you need to remain hidden delivery. This is what we call credential stuffing millions of usernames and passwords being pumped into your website, looking for a valid username and password for an ATO. Once they have their confirmed list, they can either use them or sell 'em on the dark web. As we mentioned before, 10 to 20 euros is a good price for a valid credential.
So if we, so if as we discuss, they get a thousand credits, that's a tidy payout exploitation. This is when the validated usernames and passwords are used in anger. And then we have action. This is when the validated U. So this is the, the cashout process leveraging whatever is possible from the account. So what can we do to prevent this? What can we do? So there's fraud prevention, which is done by the vendor, but this is a bit reactionary. Yeah. And as normally the fraud has already occurred at this point, and it requires the fraud department to go back to the customer, refund the money.
And that's a lot of overhead and a lot of expenditure on the business. What we really need to do is shift left to move up the kill chain. And this is where we get to bot management. And this is where we commonly see captures that we saw in the previous slide, but this doesn't manage bots. It annoys customers and affects conversion. What we need is something that transparent and frictionless, something that can analyze a person coming into our shop without having to hassle them.
This can be done with effective bot management, using multiple points of telemetry, combined with a huge traffic database and machine learning. We can block non-human request in real time and prevent the stolen credentials from ever being validated in the first place. No validated usernames and passwords means less options for ATO, which means less fraud. Importantly, though, you've done properly transparent bot detections mean happy customers back in our actual shop, knowing who you are, is important for the sales assistant.
When they recognize you, they can interact with you, ask you relevant questions or know that you don't want to be disturbed, but you never need to show your passport to driving license. When you enter the shop. When I go to an online shop, I want the same experience. I don't want to be treated like a potential criminal. I don't want have to respond to multiple questions about who I am on my ability to recognize roadside in north America, by employing an effective approach to customer identity. We can build this relationship and build trust.
This means that identity, what that actually entails and how that is captured and used is vitally important. When we do business online, we want that same experience that we have in the shop. When we go online and we should be able to move seamlessly between the environment Omni channel is now more important than ever. Organizations will have seen many new customers visiting their virtual stores over the last few months as we move forward and people go back to shops, hopefully second lockdown permitting.
They will want to visit the physical and manifestation of this virtual shop that they have enjoyed. The last thing that a customer wants to feel is that they are unknown. A good customer online should be rewarded with a good customer experience when they visit your shop and vice versa, whether through an app that detects you when you've entered one of their stores and advises you of offers that are relevant to you or alert staff to make you feel welcome and offer assistance.
However, security is still important. It just needs to be balanced against the optimal customer experience. When you enter a shop that may often be a security guard present, maybe standing just outta sight at the side of the door, they've seen you, but your entrance into the shop was not impacted. You didn't feel scared. You weren't out proof who you were. The shame should be online. Security should be there knowing you are there without impacting what you want to do. And this holds true throughout the customer relationship journey with the retailer.
And not only with security, this is where we get that warm, fuzzy feeling that we are talked about at the beginning, that feeling of trust. There are many elements that need to be touched to ensure that this trust is kept between the vendor and the consumer. For example, consumers expect a simple and frictionless registration experience. If they create an account with a brand, they expect to only create one account, not a different one for every single line of business or every single new campaign that's created.
If they choose to bring their own identity, that should be a simple and easy process. Any information they disclose, they expect to be protected. If they trust you with the password, this can never be breached. Remember the credential stuffing, do you want your breach to be the source of even more attacks? Awareness of privacy rights has also grown. And if a consumer makes a request for their details, that should be a pain free experience, not requiring a, a painstaking search through a myriad of databases for the vendor. They are aware of their right to be forgotten.
And more importantly, they want control and choice on how you use their data. Bundled consent might not be enough anymore. Realistically, it's more habitual consent. You do people really read the popups.
I mean, pretty much guaranteed, never for cookies. Yeah. And how many people read the, the, the popups for, for optins and mainly due to a large and different way of presenting these options. People are beginning to understand what they're for, but without simple, clear, concise, and consistent references to these options, they go unread. If this is presented in a better and more engaging way, people may feel more willing to opt in because they're gonna trust you more and you can batter them with legalese in the popup. They're gonna feel pressured and confused.
So while your digital landscape may not be the customer's concern, making a change to communication preferences should not take seven days to update your systems as a consumer.
If I rectify my details with a customer service representative, I'd expect to see that in real time in my profile, if I say no to personalize ads, I don't expect an email or online ad that following day because systems weren't updated and finally consumers want this best in class assurance that any details they share are protected, and this is consistent across all their devices, this user awareness and feeling of trust that they need has been driven by privacy, campaigners and compliance frameworks that are sprung up around the world with recent fines, from the ICO and the UK for data breaches, again, making the front page news.
This understanding will only keep growing from now. So we need to look carefully at how we make our digital touchpoint effective with the current expectations or increasingly security and identity, where public from a customer experience perspective, my identity platform should be able to allow SSO across all my devices, including web mobile and IOT with a wide range of options as to how the actual registration happens. Does it use social logging? What personalization options do I have there also needs to be available at all times. And this is where cloud can really Excel.
When those requirements are certainly service, large amounts of users do occur. All the platforms can incise accordingly and grow to accommodate the request. This is why identity is frequently outsourced. Your identity platform should be able to handle thousands of logins per second, without impacting the user experience websites becoming unusable because they are popular really is not acceptable in 2020 in the same way that many e-commerce sites do not handle credit card data themselves. Why should they handle personal data, especially with all the risk regulations and associated fines.
It can be applicable much easier to handle it off to a trusted third party. They handle size complexity, regulations and security, and remove that burden for you. We're then handing back a token describing the claims that can be then used throughout your web estate.
We also need to build on customer trust and consent, allowing them to change or revoke their consent settings immediately, but also allowing progressive permissioning, allowing the consumer to share their minimum amount of data with us initially until they build up more trust and share it a little bit more and then a little bit more. But with the ever present four less acronyms that are shaping how we manage personal data, it is important that this data is collected, stored and managed securely.
We want to avoid data being stored in multiple locations and creating a toxic data flaw equally important is what systems have access to that data. We, we now have a, a database that is rich with customer data and use properly can be a marketer's dream, but we need to ensure that the appropriate tools only have the specific level of access that they need. An email campaign tool may need to know age and email address and first name, but it does not need to know the post address. Keepings principle of least privilege.
It's a straightforward process when you're working with a single platform are not wrangling multiple databases. And this is a good example of why planning for scale is important and how it ensures that the user experience is seamless.
There is, this is some data from a large retailer and the identity traffic that they experience on the site during Thanksgiving 2019 and the associated discount days on the Friday and Monday. So this retailer really doubles down on the hype around Thanksgiving and offers flash sales as well, trying to squeeze as much outta the peak selling time as possible. So this creates a fantastic demand and huge awareness for the site. And as you can see, almost triples, the daily peak of identity request.
In fact, they reached 7,000 logins per second at their busiest time. So the ability to scale is really, really important in these instances and the actual traffic to the site was a much larger multiplier, but we were also able to help in that respect as well. So in looking at identity and access management for consumers, I wanted to show how Akamai looking at this problem and how we can leverage our portfolio. As we have seen, there are a number of things that we need to consider by using a cloud based on reality edge based science platform.
We're able to reduce friction for known good users and improve performance username and passwords of validated at scale and quickly ensuring that content can be delivered quicker. Both of these help improve customer experience as we discussed earlier, scale is important. An oath should not be an impediment either to this or to reliability head deploying on the edge of the internet allows 100% availability and the ability to service many thousands of requests per second, but we also need to be cognizant or security around that.
By leveraging an edge platform, we can analyze the request and do policy enforcement check the context and the transaction type, and if necessary has service insertion so that we can add in bot management or wife to protect against credential stuffing or application attacks, customer experience scaled on reliability. So these are really table stake when you're designing a Siam platform. So you need to guarantee that at the outset and you guarantee these at the outset else, you'll struggle.
But in addition, using a global edge also allows things like data residency to easily achieved for all applicable regulations, without having to hairpin traffic around the world to hit the relevant data silo. When we start looking at risk based authentication, we are entering one of the key drivers towards a frictionless experience for the current tumor, by taking telemetry from the inbound request, looking at the device, the geo the time of day, and many of the data points we were able to draw. We were able to establish whether it's as low risk or higher risk.
And depending on that result, drive the level of authentication required. If any, in addition, Akim, I, we were able to draw up on vast array of intelligence that we gather daily from delivering not on a good day, about a third of global web traffic. And this gives us a very rich view into the level of risk. As we have seen customer identity is key to balancing the customer experience, the required security, but importantly, that Siam platform needs to be secure, reliable, scalable, but it also needs to serve a myriad of different applications that are constantly evolving and changing.
So basic functions are key, like the easy self-service tools to get services up and running, having an API first methodology that truly allows you to scale and fully support CI CD models. Having automation tools to reduce time to market API here is also key without this is this a major platform you'll have major problems with growth and expansion.
Yes, it is a balancing act, but with a true edge based Siam platform, you can reach optimum customer experience with proper and effective security. And with that, thank you very much for your time today. Any questions.
