Identity Blog

Are You Treating Your Customers Like Criminals?

Gartner Prediction: By 2022, digital businesses with great customer experience during identity corroboration will earn 20% more revenue than comparable businesses with poor customer experience.

When people ask me what problems customer identity and access management solves, my reply is that first and foremost it improves the customer’s digital experience. If you want to convert your casual website visitors into engaged clients, the first hurdle is usually the registration and login process.

Logging in is not usually a pleasant customer experience. Why? Because businesses are constantly under siege from hackers (Data Breach Report 2018). Add to that the fact that most websites still use the password as the primary authentication method. Businesses are having to perform a balancing act—weighing customer experience against security. Most tend to err on the side of security, and who can blame them? The internet is rife with fraudsters who have hacked or guessed your customers’ passwords and identity. Many businesses assume that each visitor is a potential threat and load up the front-end experience with a requirement for absolute trust.

To that end, a range of authentication methods have been deployed to make the customer prove that they are not a threat.


CAPTCHA is used primarily to prevent automated attacks aimed at creating fraudulent new accounts en masse. According to Gartner, over 90% of websites with login pages experienced bot attacks related to credential stuffing or credential cracking in 2016, and over 80% of sites with sign-up or application pages were the victims of bot activity aimed at creating fraudulent new accounts. However, the CAPTCHA test to prove you’re human is not foolproof and can be beaten. More importantly, customers are more likely to abandon an interaction when they’re presented with any CAPTCHA request, with the highest abandonment rates for users on mobile devices.


I have been predicting the “Death of Passwords” for some time now. The key reasons:

  • Customers choose easy passwords that are easily hacked. 3 billion credentials were reported stolen in 2016.
  • Customers reuse those passwords. 60% of consumers reuse passwords across multiple sites

Poor password hygiene means that the password holds very little value in terms of legitimacy. Even legitimate customers often have difficulty entering in the correct password – which is a frustrating experience for them, but doesn’t mean they are actually a threat.

The reality is that the vast majority of customers logging in to an existing account are who they say they are and have no malicious intent. The “absolute trust” model results in real customers often abandoning the transaction because they lack the patience for a multistep authentication process. As younger users become accustomed to using social media login or device biometrics on their mobile phones, using these knowledge-based authentication methods will seem archaic and unpleasant. Businesses that continue to cling to the “absolute trust” model will find themselves losing market share to competitors who prioritize a “low-friction digital experience.”

So how can you achieve this low-friction digital experience for your customers? One method of authentication that is gaining in awareness is risk-based authentication, also known as adaptive authentication. Risk-based authentication (RBA) is based on the assumption that your customers are legitimate, don’t have malicious intent, and pose low risk.

RBA starts with the creation of a risk profile using a set of key parameters:

  • Geographical location
  • IP address
  • Browser type
  • Device type

For example, User A typically accesses your web app from Seattle, using Chrome from a specific IP. Today, instead of accessing from Seattle, the user seems to be in San Francisco.

Each time the user accesses your web or mobile app, the system checks those parameters.

If any of the parameters do not match—in this case the city did not match—the system flags this and you have the option to:

  • Present the user with a challenge—usually multi-factor authentication.
  • Ask the user to contact support.
  • Block the user outright.  

As long as the visitor matches the profile on record, they are granted an active session. There is no need for the user to log in with a password.

RBA provides an excellent balance of security and ease. Customers get a truly low-friction digital experience, while businesses have extra protection when a change in behaviour indicates higher risk. And there’s no need to treat legitimate visitors with the suspicion that only fraudsters deserve.

For more information on how risk-based authentication works, click here

If you would like to get a customized demonstration, contact us.


Related Posts