Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Customers in the Crosshairs

D7c78f8757327b65a637aece98939f01?s=47 Andy March
September 15, 2019

Customers in the Crosshairs

As users now expect more from the organisations they interact with online managing the identity of your customers is becoming much more complex. Password dumps, multiple devices and poor MFA adoption put pressure on security and development teams. All the time your competition is waiting in the wings to offer an alternative if your offering doesn't meet the customer's expectations.

Join Andy in a session where he discusses the threats to your customers, the impact those threats can have on your organisation and how to build a customer identity which not only protects your customers but provides a better user experience.

What attendees will learn:
- How to model the risks and impacts of a customer account compromise.
- How to drive registration with progressive profiling.
- Choosing multi-factor options which users love.
- Techniques for monitoring emerging account threats.

D7c78f8757327b65a637aece98939f01?s=128

Andy March

September 15, 2019
Tweet

More Decks by Andy March

Other Decks in Technology

Transcript

  1. Customers in the Crosshairs Photo by Steven Roussel on Unsplash

  2. 10+ years working in secure systems Hi! Senior Platform Specialist

    at Okta Software Developer (.NET / Java / JS) @andymarch
  3. Customer experience is critical.

  4. None
  5. The Future of Customer Experience

  6. Don’t let customer experience become a security risk

  7. None
  8. <50% use a unique password for email

  9. 1111111 (3.1m) Password (3.6m) Qwerty (3.8m) 123456789 (7.7m) 123456 (23.2m)

  10. None
  11. What’s the risk?

  12. 42% expect to be a victim of financial fraud online

  13. None
  14. None
  15. None
  16. Username/password PII Transaction History Linked Payment Information Redeemable tokens Initiate

    transaction Failed login limits IP blacklists Captcha Credentials Mitigations Identity Resources
  17. Come on, tell me who are you?

  18. None
  19. Do I need to create an account?

  20. Image:

  21. Image: TechCrunch

  22. None
  23. None
  24. None
  25. ? id: 123456789 email: mail@testuser.com id: 123456789 email: mail@testuser.com address:

    123 Fake Street id: 123456789 email: mail@testuser.com address: 123 Fake Street loyaltyid: 098765
  26. Email address Manage Contact Preferences Credentials Mitigations Identity Resources id:

    123456789 email: mail@testuser.com
  27. Email address Manage Contact Preferences Credentials Mitigations Identity Resources id:

    123456789 email: mail@testuser.com Manage Existing Order Manage Address address: 123 Fake Street Email address/Password password: supersecret
  28. The limiting factor

  29. ******** someuser password Passw0rd!

  30. None
  31. None
  32. None
  33. None
  34. None
  35. twofactorauth.org

  36. None
  37. Your code is 123456

  38. Photo by Andrey Metelev on Unsplash

  39. None
  40. OS based (with TPM) Browser Integration (WebAuthN) Roaming Authenticators (CTAP)

  41. Email address/Password Manage Contact Preferences Credentials Mitigations Identity Resources id:

    123456789 email: mail@testuser.com Manage Existing Order Manage Address address: 123 Fake Street password: supersecret loyaltyid: 098765 Redeem Loyalty Points + MFA
  42. Everything in context

  43. Who is the user? What is the application? Where is

    the user? What is the action? Does it match their normal usage? User supplied context Service inferred context
  44. Email address/Password Manage Contact Preferences Credentials Mitigations Identity Resources id:

    123456789 email: mail@testuser.com Manage Existing Order Manage Address address: 123 Fake Street password: supersecret New device New location Contact support
  45. Putting it all together

  46. Email address/password Manage Contact Preferences Credentials Mitigations Identity Resources id:

    123456789 email: mail@testuser.com Manage Existing Order Manage Address address: 123 Fake Street password: supersecret New device New location Contact support MFA Passed
  47. React to change Know your users, know your risk Collect

    only what you need when you need it Strongly authenticate your users, but only when it is required Recap
  48. Interested in learning more? okta.com/customer-identity DTX Manchester: Stand F24 @andymarch

    Slides: speakerdeck.com/andymarch/customers-in-the-crosshairs