[BreachExchange] 10 Steps for Creating Strong Customer Authentication

Destry Winant destry at riskbasedsecurity.com
Tue Oct 30 13:52:22 EDT 2018

Between usability goals and security/regulatory pressures, setting up
customer-facing security is difficult. These steps and best practices
can help.

More than 2.5 billion records were compromised via data breaches last
year. When measured against the Ponemon Institute's estimated average
cost of $148 per breached record, that figure equates to $370 billion
in business losses. Each year, the average cost of data breaches is
rising, according to Ponemon, and many experts say that threat actors
aiming to compromise business and personal data are growing
increasingly aggressive.

Exacerbating this issue is the emergence of stringent data privacy
regulations in recent years. The European Union's General Data
Protection Regulation (GDPR), which was went into effect earlier this
year, is the broadest, but a wide range of countries across the globe,
and numerous states in the US are launching similar laws that regulate
how data is processed, stored, and protected, elevating data
protection beyond IT and information security departments and into the

Under GDPR, any organization that sells goods or services to EU
citizens, or processes their data, is required to comply, including
implementing "appropriate technical and organizational measures to
ensure a level of security appropriate to the risk." With today's
sophisticated hacking, phishing, and social engineering tactics. Even
strong passwords are no longer enough to meet this requirement or
prevent a breach. To deal with the varying levels of system
interactions and associated risk profiles, businesses must reassess
their customer-facing security requirements. This is where multifactor
authentication, the use of more than one means to authenticate a
user's identity, is playing a critical role.

The Challenge of Customer-Facing Security
Consumers are placing greater emphasis on brand trust in their
purchasing decisions and will judge that trust largely on the extent
to which the brand secures their data. At the same time, they still
expect a seamless experience that allows them to make online
transactions from any device, anytime, anywhere.

And while multifactor authentication has been widely adopted by many
businesses, rolling it out can be complicated and difficult,
particularly in maintaining ease of use and access for customers. If
security becomes a barrier, people will either look for a different
provider or begin looking for ways to circumvent the security system.
When this happens, the authentication system becomes less secure.

The perfectly usable system isn't secure at all, but it seems the
perfectly secure system isn't usable at all. How do businesses
reconcile the need to implement multiple controls for security and
compliance, with the demand from consumers to provide ease of use?

Steps to Strong Customer Authentication
The best approach to designing multifactor authentication is to start
with user needs and work inward. The implementation team should ask
questions including these:

- In the customer journey, how are the interactions and transactions connected?
- How could fake customer accounts crop up?
- Where are the compliance gaps?

It's also important to examine business process and lock down existing
security holes before new methods are implemented, so that
customer-facing authentication controls are instituted as part of a
broader security architecture. Below are 10 steps to enable a seamless

Step 1: Goal setting. Determine what business problem the organization
is trying to solve and which regulations apply. Evaluate the
sector-specific compliance requirements and best practices equally
against the customer impact. Goals should be set based on the adage:
"Fast, cheap, or good — pick two out of three."

Step 2: Situation analysis. Outline the entire customer journey and
touchpoints to identify burning issues, assess threat levels, and
determine where vulnerabilities exist. Consider which elements — such
as password resets, purchases, account info changes — need the most

Step3: Research. Look for information on best practices from experts
in the field, including consultants, analysts, and solution providers.
Determine what is relevant to the results of the situation analysis.

Step 4: Provider selection. With clear business needs in hand,
evaluate vendors by which ones can meet those specific needs. Don't
fall in love with a vendor or a solution and then attempt to
reverse-engineer the project.

Step 5: Implementation planning. Determine which stakeholders across
the organization need to participate in the planning, and what
resources will be needed to deploy the technology. Set milestones and
timelines to keep the project on track.

Step 6: Testing. Decide what conditions should be met in the testing
phase. Implement test cases and A/B testing on subsets of users on
particular use cases, and then analyze the results to refine the
program as needed.

Step 7: User education. Existing customers should be notified ahead of
time that new security controls are being added, and why. Be sure to
provide an avenue for customers so submit concerns and questions. It's
also important to offer customers a variety of potential multifactor
authentication options and let them choose. As much as possible, let
them set up their preferred method before it takes effect.

Step 8: Deployment. Once testing is complete, adjustments have been
made and users have been given the opportunity to express concerns,
full deployment can move forward. Have a back-up plan in case of
unforeseen problems.

Step 9: Monitoring. Enable monitoring for measurable outcomes that map
back to goals, and allow stakeholders to follow and check-in on how
the program is progressing/running. It is critical to monitor key
indicators including error rates and customer satisfaction scores.

Step 10: Maintain. Security is not a one-and-done endeavor. It is a
continually iterative process that must stay apace with new threats
and risks. Maintain a security program that is adaptable to changes in
the consumer, regulatory and cybersecurity landscapes.

Striking the right balance between security and usability is the only
way businesses can ensure ongoing consumer trust in their brand, meet
the obligations they face under new regulations, and keep customers
happy. The steps above are key to successfully executing a new
multifactor authentication program, but organizations must also work
toward establishing proactive attitudes toward trust and privacy. A
strong internal culture of security along with a holistic approach
will go a long way toward avoiding breaches and harsh penalties from

More information about the BreachExchange mailing list