Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Customers in the Crosshairs

D7c78f8757327b65a637aece98939f01?s=47 Andy March
September 15, 2019

Customers in the Crosshairs

As users now expect more from the organisations they interact with online managing the identity of your customers is becoming much more complex. Password dumps, multiple devices and poor MFA adoption put pressure on security and development teams. All the time your competition is waiting in the wings to offer an alternative if your offering doesn't meet the customer's expectations.

Join Andy in a session where he discusses the threats to your customers, the impact those threats can have on your organisation and how to build a customer identity which not only protects your customers but provides a better user experience.

What attendees will learn:
- How to model the risks and impacts of a customer account compromise.
- How to drive registration with progressive profiling.
- Choosing multi-factor options which users love.
- Techniques for monitoring emerging account threats.

D7c78f8757327b65a637aece98939f01?s=128

Andy March

September 15, 2019
Tweet

Transcript

  1. Customers in the Crosshairs

  2. 10+ years working in secure systems Hi! Platform Specialist at

    Okta Software Developer (.NET / Java / JS) @andymarch
  3. Customer experience is critical

  4. None
  5. CUST Efficiency Convenience Friendly service Knowledgeable service Easy payment PWC.com/future-of-cx

  6. Don’t let customer experience become a security risk

  7. None
  8. 1111111 (3.1m) Password (3.6m) Qwerty (3.8m) 123456789 (7.7m) 123456 (23.2m)

  9. None
  10. What’s the risk?

  11. None
  12. None
  13. 42% expect to be victim of financial fraud online by

    2021
  14. None
  15. Username/password PII Transaction History Linked Payment Information Redeemable tokens Initiate

    transaction Failed login limits IP blacklists Captcha Credentials Mitigations Identity Resources
  16. Come on, tell me who are you?

  17. None
  18. None
  19. ? id: 123456789 email: mail@testuser.com id: 123456789 email: mail@testuser.com address:

    123 Fake Street id: 123456789 email: mail@testuser.com address: 123 Fake Street loyaltyid: 098765
  20. Email address Manage Contact Preferences Credentials Mitigations Identity Resources id:

    123456789 email: mail@testuser.com
  21. Email address Manage Contact Preferences Credentials Mitigations Identity Resources id:

    123456789 email: mail@testuser.com Manage Existing Order Manage Address address: 123 Fake Street Email address/Password password: supersecret
  22. Do I need to create an account?

  23. Image: 9to5mac

  24. Image: Screenshot / TechCrunch

  25. None
  26. The limiting factor

  27. ******** someuser password Passw0rd!

  28. None
  29. None
  30. None
  31. None
  32. None
  33. twofactorauth.org

  34. None
  35. Your code is 123456

  36. None
  37. None
  38. OS based (with TPM) Browser Integration (WebAuthN) Roaming Authenticators (CTAP)

  39. Email address/Password Manage Contact Preferences Credentials Mitigations Identity Resources id:

    123456789 email: mail@testuser.com Manage Existing Order Manage Address address: 123 Fake Street password: supersecret loyaltyid: 098765 Redeem Loyalty Points + MFA
  40. Manage access

  41. Everything in Context Who is the user? What is the

    application? Where is the user? What is the action? Does it match their normal usage?
  42. Email address/Password Manage Contact Preferences Credentials Mitigations Identity Resources id:

    123456789 email: mail@testuser.com Manage Existing Order Manage Address address: 123 Fake Street password: supersecret New device New location Contact support
  43. Putting it all together

  44. Email address/password Manage Contact Preferences Credentials Mitigations Identity Resources id:

    123456789 email: mail@testuser.com Manage Existing Order Manage Address address: 123 Fake Street password: supersecret New device New location Contact support MFA Passed
  45. React to change Know your users, know your risk Collect

    only what you need when you need it Strongly authenticate your users, but only when it is required Recap
  46. Interested in learning more? developer.okta.com