Now days security is becoming more important than ever with everyone going digital. With it comes a lot of risk that many companies are ignoring in the pursuit of getting through their downturn. More companies are going to start scrutinizing security line items and try to keep costs down. This approach works for awhile as during a crisis you do whatever it takes to keep a company running while potentially cutting corners. If you don’t have the luxury of baking in the latest and greatest tools for security in the market there are always new comers with options that may work for you at the moment. Even building a security control yourself works too. However, companies need to constantly revaluate their strategies to make sure their posture still aligns with their risk tolerance. The more interesting security strategy for me is identity since it so closely relates to business. Cryptography, infrastructure and other traditional security domains are usually siloed from anyone running a business and it might not affect profits as much as identity.
As the interesting segment in security, identity is becoming a critical function of any business. The boom of the security services and valuations of companies offering it is just the start of the future trend. The State of Identity podcast is a great listen on the breakdown of all the solutions trying to throw in their hat to solve identity. While I don’t have a good prediction on where it ends up in the next 5-10 years I do hope IDV is not a trend that lasts for everyone. I think the better thesis for identity is that most users are inherently good and we need to adaptively apply security measures to bad actors. The one size fits all approach does not bring a good experience to users or businesses trying to onboard anyone. Users are getting tired of providing all their information and know sooner or later it’s just going to end up somewhere on the dark web. Another problem is these tools can discriminate against underserved users that might be first time users on the web. Real fraudsters know what signals they have to mimic and just because a user is using a VPN or ordering from a brand new email address you need to block it.
This is where models and ML sometimes can go awry. Even after building a bot to handle 1000s of scenarios with Google’s best algorithms I still daily saw outliers who did something it couldn’t respond to. As a business I don’t think there is 100% confidence in these security tools and I have seen cases where multiple signals all are showing fraud but in the end the user actually is good. This is where I think companies can start extracting value from to increase their goals while still applying security. I did research on various methods companies did to challenge the identity of their users. My favorite one was the site that outright claimed I was using stolen information and they would report me.
This is the worst way to treat a potential customer and could severely impact future growth and reputation. It isn’t worth the potential backlash of denying service to someone if you aren’t sure they truly are fraudulent. Putting the user in review or offering automatic options to move forward is the better approach. I believe merchant/site initiated declines/blocks should only be reserved for the 1% of bad users and the rest of suspicious users at least can be given a second chance.
The other problem companies face is they don’t have the resources to put in ML or ways to scale any type of review process. There is no second chance and in the case where I was told to contact the company why as a user would I waste my time doing that? There are multiple options for the same offering and I want the solution that takes the least amount of friction. Amazon has become so successful because of their speed and customer service. However, for small businesses its harder they rather block a good user than potentially open the gates to a scout which leads to an full-scale attack. The reality is for most businesses’ hackers/fraudsters aren’t laying in wait 24/7 to steal from you. They bounce around from site to site testing your defenses. Putting in a little friction just might be enough to stop most attacks while keeping sales growing.
In the end the answer is to not blindly implement friction to user’s identities. No one solution can solve for all your users. Start giving your users the freedom of choice. Humans by nature like choice and with all the solutions out there today there is no reason we can’t start giving it to them. They will thank you by becoming loyal customers knowing you care about their privacy and security.