multi-factor authentication for customers€¦ · protecting your customers’ credentials and data...

MULTI-FACTOR AUTHENTICATION FOR CUSTOMERS

Striking the Balance Between Security and Convenience

WHITE PAPER

Multi-factor Authentication for CustomersWHITE PAPER

2

TABLE OF CONTENTS

03

04

05

06

08

09

10

EXECUTIVE SUMMARY

WHAT IS MULTI-FACTOR AUTHENTICATION?

WHY MFA FOR CUSTOMERS?

CUSTOMER MFA REQUIREMENTS

CUSTOMER MFA USE CASES

INTRODUCING YOUR CUSTOMERS TO MFA

CONCLUSION


3

EXECUTIVE SUMMARY

Protecting your customers’ credentials and data is critical if you want to keep them as customers. As high-profile data breaches make

the news, consumers are becoming increasingly aware of potential security threats. Concerned about protecting their identities, they’re

also paying more attention to how organizations secure their data.

Some attack vectors, like attempting to steal customer credentials through brute force attacks, can be proactively mitigated by security

measures implemented within your organization. But others, like phishing scams or shared credentials that are compromised at other

organizations, are more difficult to preempt. In either case, should you become the unfortunate target of attack, your company and

brand reputation are at risk.

Multi-factor authentication (MFA) provides a layer of protection to your enterprise and your customers. No longer just for employee use

cases, MFA can be successfully leveraged to secure your customers’ interactions with your digital properties and mitigate the ripple

effect of compromised credentials.

But unlike your employees, your customers have a choice about working with you. To make MFA work for customers, you have to strike

a delicate balance between security and convenience.

To get customer MFA right, you need to make implementation choices that ensure both customer experience and security are optimized

for various use cases. You also need to determine the best way to introduce MFA to your customer base and decide if that means

requiring it or making it optional.

Implementing multi-factor authentication for customer use does require careful planning. But when done correctly, it can give your

customers the additional security they need without sacrificing the seamless experience they expect.


4

WHAT IS MULTI-FACTOR AUTHENTICATION?

MFA is becoming a common term, but its meaning isn’t always clear. Multi-factor authentication, as the name implies, refers to the use of

two or more factors (aka credentials) in the authentication of a user. These factors must come from at least two of three categories:

SOMETHING YOU KNOW The passwords that usually make up the first authentication factor fall into this

category. Knowledge-based authentication that usually consists of challenge

questions such as “what is your mother’s maiden name?” also fall into this

category.

SOMETHING YOU HAVEAuthentication factors in this category verify that you are in possession of a

specific thing. Examples may include receiving a text message on your cell

phone or inserting your debit card into an ATM machine.

SOMETHING YOU AREThis MFA category is most commonly verified by a fingerprint scan. Additional

methods like voice or facial recognition also fall into this category.

When a user is authenticated using factors from at least two of these categories, a much higher level of assurance (LoA) can be

associated with the user. Depending on the security requirements of your organization, you may want to require that higher level of

assurance only for higher-value transactions.

Modern MFA also has the ability to step up authentication requirements based on contextual risk. For example, if a user attempts

to authenticate from a device they’ve used many times before, you may grant them immediate access. However, if they attempt to

authenticate from a new device, you might require approval from a known, trusted device.


5

WHY MFA FOR CUSTOMERS?

Said simply, because passwords are not enough, and stolen credentials are still the most popular hacking threat.1 Your customers—make

that all of us—have way more passwords to keep track of than ever before. So most users resort to creating passwords that are weak and

easy to remember. Then, they reuse those same passwords across multiple web sites. Hackers know and prey upon this every day.

Customer credentials can be stolen in a number of ways, but three of the most common are:

PHISHING ATTACKSHackers pretend to be someone a person trusts by sending an email that looks like it’s from a known and trusted business.

The user is usually taken to a fake site, that appears legitimate, where they’re prompted to login. Once the user enters their

account information, the hackers have their credentials.

BRUTE FORCE ATTACKSA brute force attack is a trial-and-error method used to guess a user’s password. Hackers get their hands on a list of valid

usernames from a web site, then use a bot to attempt to login with a list of weak passwords.

REUSING CREDENTIALSAs many as two out of three people use the same usernames and passwords across sites,2 creating an easy

target for criminals. If credentials are compromised through phishing or brute force attacks on a site, hackers may also try

those same username and password combinations on other sites.

These attack vectors have something in common. They can all be prevented by requiring MFA. No matter how a hacker gains access

to a user’s credentials, those credentials are useless if a specific mobile (aka trusted) device—that is much more difficult for a hacker

to steal—is also required to authenticate or perform high-value transactions.

Furthermore, despite their part in the password problem, customers expect you to protect their data and interactions with your brand. You

can’t deny that very real risks exist, but you can mitigate them with modern MFA that delivers additional security and the frictionless user

experience your customers expect.

1 Verizon 2019 Data Breach Investigations Report 2 Zurkus, Kacy, “Google Survey Finds Two in Three Users Reuse Passwords,” Infosecurity Magazine, Feb 5, 2019


6

CUSTOMER MFA REQUIREMENTS

When implementing MFA for your employees, security is typically your main concern. While user experience isn’t completely ignored, the

security of your company resources likely exceeds your employees’ usability preferences. Not so with customers. When implementing

customer-facing MFA, you have to walk a fine line between convenience and security.

The customer use case calls for requirements and best practices that are separate and distinct from enterprise MFA. There are five key

things that a customer MFA solution must do:

1. BALANCE SECURITY AND CONVENIENCEIt’s important to secure customer accounts with MFA, but you don’t need to require MFA every time they login. Even though MFA

with each authentication may be secure, it can also be an inconvenience that causes frustration with your customers. Requiring

MFA only during high-risk user contexts—such as logging in from a new device or performing a high-value transaction—can provide

enhanced security in a way that doesn’t detract from customer experience.

2. INTEGRATE INTO YOUR MOBILE APPWhile you can require employees to download a third-party application for MFA, customers are not likely to go out of their way to

do that. A more realistic method of gaining MFA adoption from your customers is to provide MFA in a medium they’re already using,

like your mobile application. This also enables customers to use a more secure in-app form of multi-factor authentication than

SMS, which is no longer recommended.3 But any form of MFA is better than none at all. You may still want to offer SMS and email

authentication as an alternative for users who don’t have smartphones or choose not to download your mobile application.

3. CENTRALIZE MANAGEMENTYou don’t want to leave your MFA implementation decisions in the hands of individual app dev teams without security expertise.

It’s imperative to provide multi-factor authentication that is centrally managed by your security teams and exposed consistently

to all app dev teams. This ensures consistent and secure MFA across all apps and channels.

4. PRESERVE YOUR BRANDCustomer MFA must also be completely customizable so your enterprise’s branding can be preserved. Third-party MFA

applications or solutions that cannot be completely customized will detract from your brand and dilute the customer experience.

3 Coldeway, Devin, “NIST declares the age of SMS-based 2-factor authentication over,” TechCrunch.com, July 25, 2016


7

5. SUPPORT A SELF-MANAGED NETWORK OF TRUSTED DEVICESTrusted devices are the foundation of MFA. However, customers may have several different types of trusted devices. They may

have a primary device that can add and remove other devices, secondary devices that can authenticate and approve transactions,

and still others that may be shared with family members and have even further reduced permissions. These devices may change,

so customers should have control of authorizing a primary device, adding and removing other devices or even blocking suspicious

devices. This should be a capability exposed directly to your customers, not one that requires them to call a customer service

representative to make changes.

These capabilities, while nice to have for employees, are far more critical for customer MFA. In combination, they help ensure that your

MFA solution is consistent across channels, isn’t a management burden on your customer service representatives and is striking a

balance between security and convenience for your customers.


8

CUSTOMER MFA USE CASES

There are a few common use cases where customer MFA can be utilized. But just because you can provide multi-factor authentication in

these scenarios doesn’t mean you always should. Considering contextual risk factors before triggering MFA in any scenario can ensure that

you’re maintaining a positive customer experience. Common customer MFA use cases include:

OUT-OF-BAND WEB AUTHENTICATIONProviding out-of-band MFA for web-based authentication is arguably the most common use case for MFA. It works by simply requiring

a second authentication factor, such as a push notification or a fingerprint on a trusted device, when a user tries to login to a web

application. This may be required of users only during high-risk contexts, like logging in from a new device.

PASSWORDLESS—AND USERNAMELESS—AUTHENTICATIONAt your security team’s discretion, out-of-band authentication can be used to authenticate customers without requiring them to type in a

password at all. This can streamline access for consumers who need to log in to TVs or other devices that have clunky user interfaces.

Usernameless authentication can also be achieved with advanced capabilities, such as QR code authentication.

TRANSACTION APPROVALSSecond authentication factors should have the option to be triggered based on specific, high-value transactions. Notifications sent to

customers in these cases should also include information about the transaction, so they know what they’re being asked to approve.

Providing MFA for high-risk transactions like purchasing stocks, transferring money or updating account information can mitigate a

large portion of security risk with minimal impact on customer experience. The same principle can be leveraged to allow users to reset

their passwords or verify their identity to a CSR with a fingerprint or face scan on their trusted device.

STRONG MOBILE AUTHENTICATIONIf you have an MFA solution integrated into your mobile application, then the authorizing device and authenticating device should be

one and the same when a customer logs in to your mobile app. This offers the opportunity to add extra security by checking whether or

not the device is trusted during mobile app authentication. With this capability, a hacker trying to authenticate into your mobile app with

stolen credentials would require approval from a trusted device. On the other hand, a customer logging into your mobile app from one

of their trusted devices would be instantly approved.

The ability to support these use cases will ensure that you’re providing a convenient and secure MFA solution to your customers.


9

INTRODUCING YOUR CUSTOMERS TO MFA

Customers may push back if they’re suddenly required to start using MFA. Rather, MFA can be offered as an option that enhances

security. Depending on your industry, your approach to this may vary. Particularly if you’re in an industry like banking, where a majority

of transactions would be considered high-value. But even in those scenarios, customers may have a preference for exactly how their

MFA is delivered.

Where possible, organizations should give customers options. These might be around allowing customers to opt out of MFA

if they favor convenience more than security. Or allowing customers to choose the type of second factor they’d prefer. Do they

want a simple, but less secure, SMS text message or would they prefer to receive push notifications through your mobile

application for MFA?

Of course, enterprises must consider the security implications of giving customers choices around MFA. But a contextual,

risk-based approach can provide the flexibility to achieve the best combination of security for your needs and of user experience

for your customers.

10

Ping Identity envisions a digital world powered by intelligent identity. We help enterprises achieve Zero Trust identity-defined security and more personalized, streamlined user experiences. The Ping Intelligent Identity Platform provides customers, employees and partners with access to cloud, mobile, SaaS and on-premises applications and APIs, while also managing identity and profile data at scale. Over half of the Fortune 100 choose us for our identity expertise, open standards leadership, and partnership with companies including Microsoft, Amazon and Google. We provide flexible options to extend hybrid IT environments and accelerate digital business initiatives with multi-factor authentication, single sign-on, access management, intelligent API security, directory and data governance capabilities. Visit www.pingidentity.com.

#3253 | 05.21.2019 | v06

CONCLUSION

The need for customer MFA is more pressing than ever and substantiated by the statistics put forth by Verizon and others. There’s

no denying that attacks on stolen and weak passwords are increasingly common. As a result, customer awareness of the need for

additional security is rising, and they expect you to provide it.

To protect your enterprise at all points of entry, you’ll find a strong line of defense in multi-factor authentication. A customer-facing

MFA solution can fully secure your customers’ data and protect your brand.

But MFA for customers is a different animal than MFA for employees. Customer MFA must strike a balance between security

and convenience. Customers can’t be forced to download a separate MFA application, nor do they want to be burdened by too many

authentication requests. But they do want the ability to self-manage their own trusted devices and expect to have a consistent

experience with your brand.

Getting customer MFA right takes careful planning and has a separate set of requirements than employee MFA. However, if

implemented correctly, customer MFA can make your customers feel more secure, while delivering a cohesive customer experience.

To learn more about securing customer identities, read our Security by Design ebook.

multi-factor authentication for customers€¦ · protecting your customers’ credentials and data...

Documents