“Responsive Design” Is Good For Web Apps – And For Authentication
If you ever need a belly laugh, visit the site DamnYouAutocorrect.com (warning: it’s often not safe for work). It’s also a great illustration of why you shouldn’t just force users through the same exact login procedure when they use mobile apps versus full-fledged browser windows: hitting all the right tiny keys is hard work, and often the software behind the scenes is helpfully trying to “correct” everything you type.
Responsive design is all the rage in consumer web app design, and for good reason: users can put down one device, pick up another, and change the screen orientation in mere moments, and app developers can’t afford to miss a trick in optimizing the user experience. Similarly, in researching current authentication methods and trends, we’ve come to believe more strongly than ever in adapting your user authentication methods to your population, the interaction channel they’re using, your business goal, your risk, and your ability to pick up on contextual clues about the user’s legitimacy or lack thereof. Call it responsive design for authentication.
When we published our recent Customer Authentication Assessment Framework research (the report comes with a spreadsheet tool), we deliberately focused on onboarding, login, step-up authentication, and account recovery for – yes – customers, most particularly consumers. Why? Because the framework takes into account usability characteristics just as much as security characteristics, and security pros delivering solutions to Marketing had better have good answers when they propose adding friction to the login experience.
But we’ve found that we answer as many client inquiries about usability and user tolerance for employee and partner populations as for consumers and other customers. As a result, we’re now working on an Authentication Market Overview that aims to capture the state of the art in identity verification and authentication solutions across web, mobile, and voice channels, for all user scenarios.
As a sample of the concerns coming up, I fielded the following questions in our recent webinar on the assessment framework:
- Finding a channel for out-of-band communication: If sending a one-time password (OTP) over SMS isn’t possible due to lack of phone signal, what about using IM/Twitter over the web for that alternate channel? It’s a great idea to explore alternate channels (being cautious to ensure that the secondary channel for authentication is sufficiently separate from the primary task channel to mitigate the amount of risk you think you’re mitigating). For example, I recently spoke with an insurance company about leveraging postal mail to send authorization codes to policyholders for creating online accounts in a more secure, efficient fashion. OTPs can be delivered over lots of channels, as long as the channel can be pre-registered.
- Standardized identity proofing: Is identity proofing à la the NIST 800-63 standard’s four levels of assurance part of the answer for improving the authentication experience? No one is really in love with the experience of the knowledge-based authentication methods currently used to perform remote proofing during account enrollment. However, some online services are creeping closer to leveraging federated identities managed by a third party that takes on the responsibility for this vetting process. This approach has the potential for taking some of the usability sting out of the experience.
- Consolidated account recovery and self-service: What is recommended for challenge questions to verify identity before allowing a user to proceed with an account recovery process? If a user can reset his or her password by answering a simple security question to which the answer is readily available from Facebook or other social media, then even the strongest authentication methods are pointless. Rethinking and beefing up security measures for account recovery and user self-service is a key first step when rearchitecting customer- and employee-facing IAM processes.
We’ve already sent out invitations to nearly three dozen vendors to participate in this new research effort, but we may be able to squeeze in a few more sources. If you’ve got a particular area of interest or concern around authentication, verification, and account recovery, let me know in the comments or reach out to me on Twitter!