Security is often seen as a trade-off for usability – a poor
customer experience risks your product being unloved and unused; poor security
leaves you at risk of a fine, sanctions, reputational damage or a swift and terminal
death of your product, service or organisation.
As a product owner usability issues are usually quite tangible. We can see through the users eyes the
clumsiness that security measures introduce.
Often security is about risk, or intangible issues. Judgements are made on likelihood and impact;
we gaze into the crystal ball to imagine what would happen in the event that the
security risks come true or the issues are exploited. This crystal ball gazing often results in the
wrong balance being struck – which invariably leads to poor outcomes regardless
of which side we’ve come down on.
Authentication is one such area of functionality that
product owners get badly wrong. As the
front door for customers to your product or service, getting authentication
right is imperative. Single factor
authentication is generally inadequate for anything important and poor
implementations of less important access undermine the entire ecosystem. Two factor authentication is often clunky and
not user friendly – having to run out of the building to get a mobile phone
signal to receive your SMS one-time-passcode, carrying around an authentication
token that you have with you at all times apart from when you actually need it,
or needing to authenticate into another service to be able to authenticate into
the service that you actually want to use.
To get authentication right, context is everything – if we
factor in what the user is wishing to do, and combine with behavioural
knowledge that we have of the user we can increase both security and usability.
Let’s look at a traditional use case: When I get into my
car, I place my smartphone into its cradle and it connects itself, via
Bluetooth to my car’s audio system. As
I’m driving along, I give a command to the smartphone’s virtual assistant – and
recognising my command it says “you’ll have to unlock your phone so I can do
that” – which I can’t do… as I’m driving.
Now if we look at the same use case with applied context: my
phone is in my car so the chances of someone else using it are less. While I still might not want to open full
functionality – I don’t want someone to steal my phone, car and empty my bank
account – I can authorise more functionality without the need for any further
authentication. I can also use behavioural
information to further reduce the security risk – do I normally get my schedule
narrated while I’m driving to the station? The introduction of new credential use can be
facilitated too – while voice biometrics may not be very reliable in a noisy environment,
I can increase the matching tolerance due to the more granular levels of
context applied.
This use of multifactor authentication and authorisation
allow a much richer balance of security and usability to be achieved. Behavioural biometrics and multifactor
authentication could allow product owners to tip the balance in the favour of
both usability and security.
Unexpected Customer Behaviour - The role of self-service in your customer service strategy
Rip it up and start again - The successful Business Transformation
Too Big To Fail - Keeping the heart of your business alive
The upstarts at the startups - How startups are changing big business
One Small Step - The practice of greatness
In pursuit of mediocrity - Why performance management systems drive mediocrity
About me
Bryn Robinson-Morgan is an independent Business Consultant with interests in Identity Assurance, Agile Organisational Design and Customer Centric Architecture. Bryn has 20 years experience working with some of the United Kingdom's leading brands and largest organisations.
Follow Bryn on Twitter: @No1_BA
Connect with Bryn on Linked In: Bryn Robinson-Morgan
Read my other posts
Let's get physical - how to get fit for the digital era by leveraging the offline world
Just in Case - From early adoption to maturity
I have control - Can we truly own our identity
You don't know what you're doing - Poor security practices are putting users at risk
I didn't say you could touch me - Biometric authentication and identity
You don't need to tell me - Impacts of the EU General Data Protection Regulations
Coming together on being alone - The need for a clear government digital strategy
I'm not the person I used to be - Authentication for real world identities
Distributed Identity has no clothes - Will distributed ledger technology solve identity
Bring Your Own Downfall - Why we should embrace federated identity
Unblocking Digital Identity - Identity on the Blockchain as the next big thing
Tick to Agree - Doing the right thing with customer's data
The Kids Are All Right - Convenient authentication: the minimum standard for the younger generation
The ridiculous mouse - Why identity assurance must be a rewarding experience for users
Big Brother's Protection - How Big Brother can protect our privacy
I don't know who I am anymore - How to prove your identity online
Three Little Words - What it means for your business to be agile
Defining the Business Analyst - Better job descriptions for Business AnalysisJust in Case - From early adoption to maturity
I have control - Can we truly own our identity
You don't know what you're doing - Poor security practices are putting users at risk
I didn't say you could touch me - Biometric authentication and identity
You don't need to tell me - Impacts of the EU General Data Protection Regulations
Coming together on being alone - The need for a clear government digital strategy
I'm not the person I used to be - Authentication for real world identities
Distributed Identity has no clothes - Will distributed ledger technology solve identity
Bring Your Own Downfall - Why we should embrace federated identity
Unblocking Digital Identity - Identity on the Blockchain as the next big thing
Tick to Agree - Doing the right thing with customer's data
The Kids Are All Right - Convenient authentication: the minimum standard for the younger generation
The ridiculous mouse - Why identity assurance must be a rewarding experience for users
Big Brother's Protection - How Big Brother can protect our privacy
I don't know who I am anymore - How to prove your identity online
Three Little Words - What it means for your business to be agile
Unexpected Customer Behaviour - The role of self-service in your customer service strategy
Rip it up and start again - The successful Business Transformation
Too Big To Fail - Keeping the heart of your business alive
The upstarts at the startups - How startups are changing big business
One Small Step - The practice of greatness
In pursuit of mediocrity
Connect with Bryn on Linked In: Bryn Robinson-Morgan
No comments:
Post a Comment