John Tolbert, Lead Analyst, KuppingerCole
KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
I'm John Tolbert, lead Analyst here at coy and Cole. And I'm gonna talk about the changing landscape of consumer identities. So we'll launch right into, we'll talk about some of the convergence and the tools that are out there for consumer environments, the need for fraud prevention, and then a critique of the consumer experience today. So first up a convergence of features. So we see the consumer identity and access management platforms beginning to converge with some other tools in the space like CPM consent and privacy management customer data platforms.
And this can be facilitated by decentralized IDs. So CIM, as you know, has been around for a good 10 or more years originally developed address some of the shortcomings and enterprise IM when exposed to consumer users, it can do things like handle registrations, perform authentication, including more advanced mobile based authentication options. It can collect identity and marketing information that the customer organizations can use.
Increasingly they are accessible via APIs for remote management, and that sort of aligns with the broader view of microservices architecture that we see in the IAM and identity fabric space. They also can help provide account protection. As we'll talk about with fraud prevention in a few minutes, there are many IOT devices used by consumers these days, whether that be wearables or smart home devices. And often they're managed in conjunction with a consumer identity. And then in order to be able to use this information, customer organizations need to be able to collect consent.
That's relevant to whatever jurisdiction they're in. And that's kind of a good jumping off point for consent and privacy management. Those are tools that have involved in the last five or so years, really addressing things like GDPR and other privacy regulations. They can't handle consent collection like CAA platforms do.
They can also do things like provide data, subject access request portals, which, you know, they, they tend to do better than most of the CIA platforms, but they also do things like cookie management, privacy, policy management, and with privacy policies being driven by regulations and different places around the world with a little bit of, you know, different requirements for every jurisdiction. Having privacy policy management is a really good feature. And of course they can assist with audit and compliance as well.
Customer data platforms are sort of a union of all the consumer information that an organization might have, whether that be in the CRM system, CRM, other places, it's their tools that can pull it all together, can associate identities with that. And then they have pretty advanced analytics built into those platforms as well as reporting. So you see there's a lot of overlap and features. And I think that we'll see greater convergence on these platforms in the years ahead, decentralized identities.
We've already had a good presentation this morning from Dick hard about DDS DDS can help consumer facing businesses in a number of ways. Identity verification showing that a user who's purporting to be the owner of account really is the appropriate user. The DDS can allow you to use multiple authentication services. It can be something that you don't necessarily have to provide as a CIM customer. Same with registration DDS make that much faster and easier information can be provided through an agreement. It's also relieves the burden of managing those identities within your own CIM system.
If you're relying upon DDS and it does not preclude marketing and marketing automation, those things can be handled by agreement as well. So fraud, as you know, is a big problem in the consumer facing world. And there are fraud reduction intelligence platforms that can integrate with cm solutions and, you know, reduce the overall level of fraud.
So, you know, there lots of different kinds of fraud. Well, let's just focus on two main ones that CIM system users need to worry about. First one would be new account fraud sometimes called synthetic fraud, sometimes called account opening fraud. This is cases where a fraudster might get information about real identities, you know, from medical records, from employment records, education records, and use that to assemble an account that looks like it's somebody else, but they use it for fraudulent purposes.
And oftentimes that's for like moving money around new accounts, you know, getting it, you know, from cryptocurrencies into a format that can use then there's account takeover fraud, which is exactly what it sounds like. It's, you know, fraudsters might search the dark web, get username, password combinations, and they may use bots to do credential stuffing attacks to see, you know, if they could take that username password that's been exposed and use it on other sites.
If it's, if the users have, you know, used the same password. So that's one of the main reasons we tell people not to reuse passwords, to keep account takeover fraud down, but you know, the big picture fraud is escalating. It's gotten worse during COVID. There have been a number of COVID specific fraud attacks, but these are things that all sorts of businesses across many different industries have to deal with.
And, you know, there may have been a point years ago where the fraud was viewed as a write off or just, you know, this is the cost of doing business, but it's gotten to be such a large degree that it that's just not acceptable anymore, but fortunately there are fraud reduction intelligence platforms that you can plug in to your cm solution and transaction processing solutions and, and help get, get the fraud on your control.
So I've got out six major methods for reducing fraud, the first being identity proofing and vetting, and that's matching a account requester to a real identity often using, you know, verified documents, credential intelligence is using information shared between identity providers, you know, has a credential been used fraudulently at some other site. It'd be good to know that before they come to yours, then you can raise the flag over that and, and, you know, potentially deny access device intelligence is about, you know, looking at a user's device. Is it rooted or gel broken?
Are they using anti-malware? Is it appropriately patched? Any information about device reputation that's out on the web that can be pulled together and factored into risk decisions? User behavioral analysis is another area of looking at, you know, historical transactions, usually fairly recent to build a baseline of normal user activity. Is this current requested transactions, similar to transactions they've made in the past? Does it originate from similar locations? Is it the same payee if it's, you know, a financial transaction or is it wildly outside of that baseline?
If so, you may want to deny that or look for some additional proof of identity, behavioral and passive biometrics. That's you know, how users interact with their devices. If it's a computer, it could be things like key stroke dynamics, mouse, movement analysis. If it's a mobile phone, it could be, you know, how they hold the phone, the gyroscopic indicators, touchscreen pressure, how they swipe on the phone. All those can build a pretty unique pattern of individual behavior. And when that deviates, you know, you can use that to raise a risk indicator.
Then lastly, bot intelligence and management, there are bots kind of have a bad reputation, but bots are very important for getting web business done. So you want to know if a bot that's on your site is a good bot or a bad bot, or maybe somewhere in between, and then decide how you want to handle that. So these are the six major fraud reduction methods. So I thought we'd look real quickly at how this can integrate with cm solutions.
In the first instance, we're going to consider a CIM solution where the administrator has to go out and configure each one of these intelligence sources individually. And we'll run through a real quick example. Let's say a user's going to register with the site for the first time. It's a valid email address. It hasn't been used elsewhere. That's what compromised credential intelligence tells us do a device intelligence check, but, you know, led failed behavioral biometrics that failed as well.
So, you know, it looks like it may be a bot that's actually using this email address. What this means, you know, from a customer administrator perspective is if you want to get all these different pieces of information to do risk based authentication, you'd have to configure each one individually, which is complex time consuming. And this example, I'm just say, this is an ATO attempt and that's ultimately why it would've failed because you know, the three different pieces of information would've added up to say, no, this isn't probably a legitimate request.
But on the other hand, there are these fraud reduction intelligence platforms that aggregate a lot of this, these different sources. So if you're a customer administrator running CIN, you can do a single API call out to the F service, which then goes and looks at compromise, credential intelligence, device intelligence, various identity proofing sources, many do behavioral biometrics and bot detection.
You know, in this case, we'll say this is a, you know, a user on a new device. And so it may fail device intelligence, but everything else is green.
You know, your risk system might decide, okay, this is a passing score. Again, this is a much easier approach because you only have to do the single API call to the service, which then pulls in all this other information at runtime or transaction time makes it much simpler to integrate.
So, and we do have a, a recently published leadership compass on fraud reduction intelligence platforms. That's on Casey plus, feel free to take a look at that. That can give you more information about the, the various fraud reduction platforms that are out there. So let's take a look at the need for better consumer experiences. The capabilities are in the products today, but first let's look at the reality of the consumer experience.
Often you hear those of us in identity, talk about the need to have, you know, a delightful journey, but, but the truth is in many cases, the journeys are not as delightful as they can. And, and as they should be, you know, a lot of consumer facing businesses are not really getting it quite right. Everything from search and navigation through a site, to some of the things that concern us as identity practitioners, you know, multifactor authentication is still not ubiquitous. We've been talking about the need for MFA for years, same thing with risk based authentication.
It needs to be adopted, you know, much more widespread and that's draws on the slides and the things that we just talked about, how to integrate fraud reduction, how to make intelligent risk decisions at login time and at transaction time. And then single sign on is not exactly a brand new technology, but yet I'm surprised, you know, in my own role as a consumer, how many times you have to create accounts and, and manage those accounts log in separately, sometimes at companies that are conglomerates that have multiple brands, they're not federated between domains.
These are things that are, you know, low hanging fruit. As we like to say, easy things that organizations could put into place to make the consumer experience better. I think that, you know, as an industry, we need to focus on usability. In many ways, I feel like usability is actually declining. It's getting harder to use certain features than it really should be.
You know, and I think we can deliver both us improved usability and better security. They're not mutually exclusive, you know, new technologies, mobile authenticators, Fido standards. I think these are ways in which, you know, both the user experience and overall security can be improved.
And, and again, many times these capabilities are in the products. They're just not being, you know, fully utilized by customer organizations. So how can we improve that?
Well, I think CIM vendors and system integrators need to focus on how to help their customers deploy this in a way that's more satisfying for the consumer experience, roll out MFA, roll out MFA that uses mobile devices. It's, it's not that difficult and really can make an immediate improvement in the overall security posture for a site. So the technology is here. There's a lot of great CIN platforms. We also have reports on that, encourage you to take a look at reviews of some of the CIN platforms, lots of good capabilities there.
They just need to be rolled out for more customer organizations to use. So lastly, let's kind of deconstruct a couple of customer journeys and see how all this fits together.
Two, two registration cases, and then some tips on authentication. So I thought I'd start with a non-financial business cuz this kind of changes the flow. You have a user coming in with a device.
You know, they either type in their information to register. They may use a social login, which is, you know, not, not ideal. In some cases they may use auto fill from browser, but you know, any email address or address you've entered into your browser, somehow winds up in the auto fill and it makes it kind of a mess to have to deal with that. CIN platforms have long had the notion of progressive profiling where a consumer can come in and register and just give basic information front. And then the system learns more about them as they go decentralized identities.
I think again, present a distinct advantage here because you've got a lot of the information already taken care of the user can simply decide what they want to present from their wallet. The user's device can be associated with account, and that can be good for an additional account recovery mechanism. So as a customer Porwal what do you do with that information?
Well, it gets stuck in the CIM system where it can be used for things like identity and marketing analytics, which is great, but there may be a need for identity proofing, but there also may not be depending on the kind of business that you're in identity proofing can be a way to increase the overall identity assurance, but it may not be required in all industries. So that's different on the financial side where, you know, same scenario user comes in, they have to type in information, use a social login auto fill.
They could use a D I D if available the ID proofing requirements in the financial industry are going to drive the need for identity proofing anti-money laundering and know your customer regulations and different places around the world. Say, you've gotta get information about the user, pass that on, verify that upfront. So it makes progressive profile and not really an option. How do you do this? It can be video identification using maybe a mobile app, mobile SDK, take a selfie, match that to the picture on a driver's license or a passport or a national ID card.
It can also read information off the card, the ID card, using OCR or connect with it via NFC. If it's got a chip and then trying to wrap up here quickly, a way to look at authentication, KBA knowledge based authentication security questions, they're less secure the passwords. Even most of that information is available online. So please don't use that passwords 80 or 85% of breaches data breaches are caused by bad passwords. Let's get rid of those wherever possible.
SMS OTP is probably the most common MFA form, but even that's pretty easily bypassed with things like SIM swap attacks, not recommended. That leaves us with things like PKI hardware, tokens, smart cards, you know, they're great for enterprise cases, maybe good for various specific uses on the consumer side that leaves us with mobile apps, SDKs and mobile biometrics as the best options for consumer authentication experience improvement. And with that, I will conclude.