$30 off During Our Annual Pro Sale. View Details »

Customers in the Crosshairs

Andy March
September 15, 2019
Technology
1
200

Customers in the Crosshairs

As users now expect more from the organisations they interact with online managing the identity of your customers is becoming much more complex. Password dumps, multiple devices and poor MFA adoption put pressure on security and development teams. All the time your competition is waiting in the wings to offer an alternative if your offering doesn't meet the customer's expectations.

Join Andy in a session where he discusses the threats to your customers, the impact those threats can have on your organisation and how to build a customer identity which not only protects your customers but provides a better user experience.

What attendees will learn:
- How to model the risks and impacts of a customer account compromise.
- How to drive registration with progressive profiling.
- Choosing multi-factor options which users love.
- Techniques for monitoring emerging account threats.

Andy March

September 15, 2019
Tweet

More Decks by Andy March

See All by Andy March
OAuth by Example - Workshop
andymarch
1
170
Securing APIs
andymarch
0
37
TLDR - OAuth
andymarch
0
68
Identity as Code
andymarch
0
330

Other Decks in Technology

See All in Technology
device mapperによるディスクI/O障害のエミュレーション
sat
PRO
7
2.3k
LLMエンジニアリングを加速させるソフトウェアアーキテクチャ
tkikuchi1002
0
530
ARR100億超SaaSをさらに成長させるPdM組織の立ち上げと今後について
rakus_dev
0
120
SRE推進における失敗と成功 〜く"し"け"な"い"〜 - NIFTY Tech Day 2023
niftycorp
0
120
AWS re:Invent 2023に参加してきた ~Amazon Inspectorのアップデートを添えて~ / AWS re:Invent 2023 Participation Bulletin with Amazon Inspector Updates
yuj1osm
0
280
Micro Frontends for Java Microservices - SF JUG 2023
mraible
PRO
1
220
更新”しない”ドキュメント管理 「イミュータブルドキュメントモデル」の実運用
kosui
11
1.5k
トヨタの社内コミュニティについて色々聞いちゃおう ~たった4年の奇跡の軌跡~
taichinakamura
0
390
go-ldap Contribution
kazamori
0
110
AI Transformation に向けた Microsoft Copilot Stack と Data 戦略
dahatake
1
260
CPOが開発する覚悟 〜コンパウンドスタートアップにおける、爆速の新規プロダクト開発スタイル〜
mosa_siru
9
6.9k
朝起こしてくれるメイドさんが欲しい (LT) - NIFTY Tech Day 2023
niftycorp
1
120

Featured

See All Featured
Testing 201, or: Great Expectations
jmmastey
26
6.1k
Thoughts on Productivity
jonyablonski
55
3.5k
ParisWeb 2013: Learning to Love: Crash Course in Emotional UX Design
dotmariusz
101
6.4k
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
tammyeverts
1
300
Fantastic passwords and where to find them - at NoRuKo
philnash
34
2.3k
Designing on Purpose - Digital PM Summit 2013
jponch
108
6.2k
In The Pink: A Labor of Love
frogandcode
135
21k
JavaScript: Past, Present, and Future - NDC Porto 2020
reverentgeek
39
4k
Practical Orchestrator
shlominoach
179
9.4k
The Straight Up "How To Draw Better" Workshop
denniskardys
226
130k
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
152
14k
What the flash - Photography Introduction
edds
64
11k

Transcript

  1. Customer
    Identities in the
    Crosshairs
    Photo by Heamosoo Kim on Unsplash

    View Slide

  2. 10+ years working in secure systems
    Hi!
    Technical Product Manager at Okta
    Software Developer (.NET / Java / JS)
    @andymarch

    View Slide

  3. Customer experience is critical

    View Slide

  4. View Slide

  5. The Future of Customer Experience

    View Slide

  6. Don’t let customer
    experience become a
    security risk

    View Slide

  7. View Slide

  8. <50%
    use a unique password
    for email

    View Slide

  9. 1111111
    (3.1m)
    Password
    (3.6m)
    Qwerty
    (3.8m)
    123456789
    (7.7m)
    123456
    (23.2m)

    View Slide

  10. View Slide

  11. What’s the risk?

    View Slide

  12. View Slide

  13. 42%
    expect to be a victim of
    financial fraud online

    View Slide

  14. View Slide

  15. Username/password
    PII
    Transaction
    History
    Linked
    Payment
    Information
    Redeemable
    tokens
    Initiate
    transaction
    Failed login
    limits
    IP blacklists
    Captcha
    Credentials
    Mitigations
    Identity
    Resources

    View Slide

  16. Come on, tell me who are
    you?

    View Slide

  17. View Slide

  18. View Slide

  19. ?
    id: 123456789
    email: [email protected]
    id: 123456789
    email: [email protected]
    address: 123 Fake Street
    id: 123456789
    email: [email protected]
    address: 123 Fake Street
    loyaltyid: 098765

    View Slide

  20. Email address
    Manage
    Contact
    Preferences
    Credentials
    Mitigations
    Identity
    Resources
    id: 123456789
    email: [email protected]

    View Slide

  21. Email address
    Manage
    Contact
    Preferences
    Credentials
    Mitigations
    Identity
    Resources
    id: 123456789
    email: [email protected]
    Manage
    Existing Order
    Manage
    Address
    address: 123 Fake Street
    Email address/Password
    password: supersecret

    View Slide

  22. Do I need to create an account?

    View Slide

  23. View Slide

  24. US Adults with an
    account
    Facebook: 69%
    LinkedIn: 28%
    Twitter: 23%
    Reddit: 18%
    Source: pewresearch.org/internet/fact-sheet/social-media
    Social media usage
    by age
    18-29: 84%
    30-49: 81%
    50-64: 73%
    65+: 45%

    View Slide

  25. View Slide

  26. Image: 9to5mac

    View Slide

  27. Image: TechCrunch

    View Slide

  28. View Slide

  29. View Slide

  30. Pre-hijacked accounts

    View Slide

  31. The limiting
    factor

    View Slide

  32. ********
    someuser
    password
    Passw0rd!

    View Slide

  33. View Slide

  34. View Slide

  35. View Slide

  36. View Slide

  37. View Slide

  38. twofactorauth.org

    View Slide

  39. View Slide

  40. Your code is
    123456

    View Slide

  41. Photo by Andrey Metelev on Unsplash

    View Slide

  42. View Slide

  43. OS based (with TPM)
    Browser Integration (WebAuthN)
    Roaming Authenticators (CTAP)

    View Slide

  44. Email address/Password
    Manage
    Contact
    Preferences
    Credentials
    Mitigations
    Identity
    Resources
    id: 123456789
    email: [email protected]
    Manage
    Existing Order
    Manage
    Address
    address: 123 Fake Street
    password: supersecret
    loyaltyid: 098765
    Redeem
    Loyalty
    Points
    + MFA

    View Slide

  45. Everything in
    context

    View Slide

  46. Who is the user?
    What is the application?
    Where is the user?
    What is the action?
    Does it match their normal usage?
    User supplied context
    Service inferred context

    View Slide

  47. Email address/Password
    Manage
    Contact
    Preferences
    Credentials
    Mitigations
    Identity
    Resources
    id: 123456789
    email: [email protected]
    Manage
    Existing Order
    Manage
    Address
    address: 123 Fake Street
    password: supersecret
    New device
    New location
    Contact
    support

    View Slide

  48. Understanding
    normal

    View Slide

  49. View Slide

  50. Putting it all
    together

    View Slide

  51. Email address/password
    Manage
    Contact
    Preferences
    Credentials
    Mitigations
    Identity
    Resources
    id: 123456789
    email: [email protected]
    Manage
    Existing Order
    Manage
    Address
    address: 123 Fake Street
    password: supersecret
    New device
    New location
    Contact
    support
    MFA Passed

    View Slide

  52. React to change
    Know your users, know your risk
    Collect only what you need when you need it
    Strongly authenticate your users, but only
    when it is required
    Summary

    View Slide

  53. Let’s discuss
    Stand K10
    @andymarch
    Slides: speakerdeck.com/andymarch/customers-in-the-crosshairs

    View Slide