Corporate IT executives have a pretty good idea of what their identity and access management (IAM) systems can handle. They know how many employees are coming into an office everyday, the applications they will access and what authentication techniques they will use. There shouldn’t be a lot of surprise when it comes to the traffic, and since the company pays the employees they pretty much have to jump through whatever authentication hoops the company deems necessary.
But when setting up an IAM system for customers the landscape changes quite a bit, says Andras Cser, vice president and principal analyst serving security and risk professionals at Forrester Research. “The systems involve different technologies and different performance requirements,” Cser said during a Janrain-sponsored webinar, “Customer IAM is fundamentally different from employee IAM.”
An in-house IAM system is owned by IT and the company can control the device used to access information, the web browser and authentication technologies, Cser said. “You don’t have as much control with consumer-facing IAM,” he added. “You can’t control the endpoint device or malware controls.”
A company can try to limit the browser or other systems used to access a site but it risks alienating customers if they don’t feel like switching browsers or systems. If the site puts too many restrictions in place the consumer will just go somewhere else.
Cser offers some steps for properly implementing consumer-facing IAM:
- Have a process map. This details how the consumer would interact with the system from account signup to account deactivation including identity verification, device registration, password recovery and reset
- Enable single sign-on. Let customers use social logins and federate access with SAML or OAuth
- Think about scale and performance. Is the site having a sale? Is there a certain time of the month where more customers are accessing accounts? Take all of this into consideration, and make sure the system can scale to meet demand
- Risk-based authentication is a necessity. Use IP-address lookup, device fingerprinting and session speed as additional attributes to authenticate a transaction in a manner that reduces fraud and friction
- Biometric technologies are coming of age. Fingerprint on mobile devices are becoming more popular and the reliability of voice is improving
- Collaborate with the business side. They needs to understand why customer-facing IAM is different from employee IAM and that these systems are a lot more complex than the ones employees use.
To listen to the free recorded webinar, click here.