IAM Feeling Good?
I switched banks years ago. My former bank’s financial services and benefits were average when compared to other banks, but something in particular triggered my decision to switch. I had developed a bad online user experience, and especially a bad feeling about Identity and Access Management (IAM).
The online banking website had some clunky functionality, a poor look and feel overall, and an unusual and annoying authentication function. My dissatisfaction developed from my first interaction with the app and it increased every time I logged in.
Online user experience (UX) is important, and it usually starts with IAM functions such as identity enrolment and access.
The secure user experience conundrum
A business I recently engaged with highlighted a common challenge across IAM approaches, which reminded me of my experience with my old bank. The context was about providing clinical staff with secure and convenient access to business applications from any device, anytime, anywhere. Business and security stakeholders had some different views on how to best implement strong authentication functions.
“We’ll need two-factor authentication,” the business stakeholder told me. “I’d like to use SMS codes, but nothing like Google Authenticator, which would require the staff to deploy an extra app on their mobile device. It would kill the [business] service adoption.”
At the stakeholder’s suggestion, I then discussed the matter with the company’s CISO separately.
“Yes, we’ll want two-factor authentication,” the CISO confirmed. “I don’t want SMS passcode. It’s not that well-rated anymore from NIST, and for good reasons. We should look at a [soft] token solution.”
The business stakeholder prioritised the usability and the security stakeholder prioritised the strength of the security controls. The different priorities are understandable, but they present a challenge of somehow converging the respective stakeholders’ expectations. This challenge is quite common with security projects, and especially with IAM.
Three Key Criteria of Identity and Access Management
The functions of IAM are implemented in many ways, in both enterprise and consumer contexts. For example, consumer identity enrolment processes can require different input from the registering users in content, format and steps. Authentication functions can also be implemented through a wide range of options that deliver different user experiences.
The convergence of user experience and security priorities is critical to enhance the IAM feel, boost user satisfaction and facilitate the successful adoption of online business services. A good way to manage the convergence issue is through the following three key criteria of IAM: function, security and feel, with a set of guidelines to integrate them efficiently.
1. IAM Function
IAM processes simply do stuff. For example, the identity registration process creates new digital identities and credentials, which users can then use to access applications. The authentication process verifies a user’s credentials. When the verification is successful, the process creates a session and provides the user with access to an application.
The IAM functions require different levels of user involvement. They subject users to different experiences and provide different levels of security.
2. IAM Security
The key IAM functions of identity registration or enrolment, proofing and authentication can be rated on a security scale of assurance level. The US National Institute of Standards and Technology (NIST) issued digital identity guidelines that provide a good reference on assurance levels: the Identity Assurance Level (IAL) and the Authenticator Assurance Level (AAL).
The assurance level is determined by the way the IAM functions are implemented. The higher the assurance level, the more is typically required from the users and the technology they use.
3. IAM Feel
Users such as consumers, citizens, staff members and business partners develop different feelings and experiences through their interactions with IAM functions. That experience can be critical to user satisfaction and to the successful adoption of online services, especially with consumers.
The IAM functions create a first impression ranging from bad to good that will evolve over time. For example, the frustrating online banking authentication experience that contributed to my decision to switch banks involved the use of a virtual keyboard to input a Personal Identification Number (PIN), and the virtual keyboard changed the order of the keys every time. That type of frustration builds up.
In my experience, the IAM feel has not been given much consideration to date across industries. The IAM functions are still often delegated to security stakeholders, with limited collaboration or influence from the business side.
Balancing User Experience and Security
The following guidelines can help IT teams manage a balance of Identity and Access Management function, feel and security for the best business outcome:
- Start with an application risk assessment and assert the required security assurance levels for IAM functions. Identify the technologies and process options available to achieve the target assurance levels.
- The IAM feel is valuable to the business. A better IAM feel can outweigh a different or more expensive IAM function if it contributes to better user satisfaction and better online service adoption, especially for online consumer services such as banking, shopping and citizen services.
- Collaborate across security, digital and business stakeholders on the IAM functions from the beginning. Don’t leave it to a User Acceptance Testing (UAT) phase for the business stakeholders to realise, very late, what their clients must go through to access apps. Some IAM technology platforms also make it easier to orchestrate such collaboration.
- Apply IAM UI and UX frameworks to IAM processes. For example, consider User Centred Design (UCD) principles for the development of IAM related user interfaces.
- For access processes, avoid using passwords at all if you can. They are a total pain for users. Prioritise the use of biometrics-based methods where possible. Use mobile apps for strong authentication options. I’m a big fan of the push authentication (Push-Auth) and push authorisation mechanisms. Consider also offering users the option to select a preferred, strong authentication method if they want to. It’s a nice touch.
Article first published on SecurityIntelligence on Feb 21, 2017.