Despite public desire to end data breaches, customer Identity and access management is more marketing than security
03 April, 2017
The dirty little secret of consumer identity and access management is that security and authentication isn’t the priority. These systems are about enabling the organization to get as much information about consumers as possible in order to get them to come back to the site and buy more products.
This makes managing consumer identity information a difficult job. Organizations need to strike a balance. The registration process can’t be too onerous or people won’t bother to go through with it. But they still have to provide enough data that the marketers have some picture of the consumer.
This is the age of the data breach, and many companies are realizing that storing loads of consumer data may not be the best idea. Some organizations are starting to look at federated identity schemes, which enable access, deliver some consumer data and often provide a better user experience.
75% of all consumers are frustrated with passwords and 58% of consumers say a new password keeps them from signing up for a new account.
A common approach to federated identity in the consumer space is social login, enabling credentials from Google, Facebook or other sites for access. This enables companies to outsource much of the IAM function and still get data about the consumer – but hopefully not enough to cause irreparable brand damage if breached.
In the early years – say 2012 to 2015 – the knock against federated identity for user authentication was that consumers were not able to control the data they were giving up to an organization. Facebook famously took a beating from the privacy community for over sharing personal data in early social login rollouts. This has changed over the past couple of years and looks to change further by 2018 as regulations in Europe take hold.
European regulation will require companies to give consumers access to any and all information they store about them as well as provide the ability to delete any data. The fines for violating the General Data Protection Regulations (GDPR) are steep, reaching 20 million euros or 4% of a company’s annual revenue whichever is greater.
While these regulations can only be enforced in the European Union, U.S. companies that do business in Europe will have to comply. This could lead many to implement these systems globally.
Federated identity on the rise
Web sites and companies want to adopt federated identity schemes because it improves the consumer experience, says Merritt Maxim, a senior analyst serving security & risk professionals at Forrester Research. Still, he estimates that less than 50% of all sites accept federated identities.
The primary reason web sites go with federated identity is registration fatigue, Maxim says. Consumers are tired of filling out forms with the same information over and over again and having to remember a new password. Federated identity simplifies the process; consumers just choose the identity provider they want to use and are granted access for browsing.
Pharmaceutical companies are using these types of systems for consumers who are using statin drugs, Maxim explains. While the sites offer information about the drug it can also provide information on a healthy lifestyle, give coupons and other information. For this type of transaction the company wants to have some idea of whom they are communicating with, but they don’t have to have every single identity attribute. “The social identity is enough for browsing,” he adds. “A lot of the adoption of consumer identity and access management is driven by lower risk or lower transaction environments.”
If a consumer wants to purchase something from a site, more identity information is needed and they typically have to provide an email address and payment card data, Maxim says.
Where consumer IAM with social login becomes tricky is around the volume of attributes the relying party web site receives, Maxim says. The problem is twofold. Some sites, for example Facebook, enable the consumer to choose which attributes to share, such as email, friend’s list, etc. Other credential providers will give sites some attribute data for free but if they want more in-depth data the relying party site has to pay for it. “There can be friction as the identity provider wants money for providing identity attributes, otherwise they can restrict them,” he explains.
While Maxim posits that just over half of web sites are deploying systems that enable social login, 95% of consumers report being aware of the technology, according to a survey from Janrain. But on the downside 42% question its value.
But the registration fatigue is real, the survey found that 75% of all consumers are frustrated by password and 58% say the requirement to establish a new password keeps them from signing up for a new account.
While social logins can ease password issues, the survey shows that just more than 50% of consumers from all income levels are likely to use it.
When using social logins, consumers want transparency and to know how data is being used. Nearly a quarter of consumers will share information if offered a gift or promotion, but twice as many – 47% – will share that same information if the company assures them they will not share the information further and if they know how that information is being used. Thankfully, it seems trust trumps freebies.