Trustworthy access in an unsecure world
29.08.2023 / 14:00
An online store is accessible to anyone, from anywhere in the world, at any time. However, this also means that not only legitimate customers can access the store, but also potential attackers or other devices. It’ is impossible to know whether these are secure or compromised. The access to the store is therefore crucial to protect for both customer data and the integrity of the store.Therefore, in this blog, you will learn more about trustworthy access using an eCommerce store as an example.
Access and trust level in CIAM
In an eCommerce store, users usually have the option of browsing anonymously and adding products to the shopping cart without logging in. This allows customers to explore the store and select products without revealing their personal data. However, as soon as they want to make a purchase or create a profile, they are prompted to log in.
The login, usually with a username and password provides a slight protection for the customers and the store. By logging in, customers can save products in their shopping cart and edit it.
In order to manage your profile, track orders and store your personal data securely, a higher level of trust is required. To ensure the security of profile access, multi-factor authentication (MFA) can be implemented. In most cases, this involves only a second factor that confirms the customer’s identity, which is why it is referred to as two-factor authentication (2FA). This means that customers must authenticate themselves a second time in addition to their initial login, for example, by means of a push notification or a one-time password (OTP).
In addition, there are certain products, such as alcohol, for which an identity check is required. This serves to ensure that only customers of legal age can purchase these products. The identity verification can be done, for example, with the cidaas ID validator using a fully automated AI-supported, video-based identity verification – at any time and without interaction with an agent.
These additional security measures go beyond what many eCommerce stores offer today. They serve to strengthen customer trust and ensure that their data and transactions are protected. By implementing 2FA and identity verification, eCommerce stores can provide a higher level of security and effectively defend against potential attacks and fraud attempts.
It is important to emphasize that the security of access procedures in an eCommerce store is a continuous process. Threats and attack methods are constantly evolving, and it is critical that security measures are regularly reviewed and updated to maintain protection.
Risk-based authentication for smart multi-factor authentication
Traditional MFA methods, while proven, are not foolproof. Hackers are constantly finding new ways to breach security measures, so it’s important to stay one step ahead of them. This is where risk-based authentication (RBA) comes into play. RBA is an intelligent authentication system that dynamically adjusts the level of authentication required based on the estimated risk of a particular login attempt.
In risk-based authentication, the system uses behavior-based clustering. Various factors (risk signals) such as user behavior patterns, device information, location, and time of day are analyzed to determine the risk level of a logon attempt.
Let’s assume you log in from your home computer at a specific time each day. If a login attempt is made from a different location or at an unusual time, the RBA system may require additional authentication steps, such as a one-time password (OTP) sent to your registered smartphone. This is referred to as smart MFA.
What does a customer journey, with trusted access, look like in an eCommerce store?
- Initially, visitors can browse the online store almost completely anonymously, without having to provide any personal data.
- After login, today still mostly with username and password, products can now be saved and viewed in the shopping cart.
- In order to be able to change the address or billing data in one’s own profile, further authentication, i.e. multi-factor authentication, is necessary. This is because this is a sensitive area or access, for which a higher level of trust is necessary.
- Should it happen that the products are in the shopping cart for a longer period of time, the trust level of the session will be downgraded. This means that the user is still logged in to his account but can no longer make any changes in the sensitive area. To do so, the user would first have to re-authenticate via MFA in order to reach the higher trust level again. Even after ordering the first shopping basket, the user remains logged in and thus remains at the first trust level.
- However, if the user now wants to buy regulated products, such as tobacco or alcohol, it may be necessary to increase the trust level by two levels. For this purpose, the identity is checked and verified by an AutoIdent procedure. Only after successful identity verification (in this case, the age of the buyer is checked and verified) is the user is authorized to purchase the products.
This example of the customer journey in an eCommerce store clearly illustrates how one moves between the different trust levels. The trust level is validated again for each access or action.
This can lead to the 6th point, where the user, due to suspicious behavior, falls back to the lowest trust level and a new login, respectively authentication becomes necessary. Suspicious behavior can result from risk-based behavior, such as access from another country or via another browser.
As users move repeatedly between the different trust levels, the risk and trust factors are validated against each other in the background. This is used to find out whether the previous trust level is still given or whether re-authentication is required. This continuous evaluation of trust is also known as Continuous Adaptive Trust (CAT).
Furthermore, the evolution of risk-based authentication allows us to state: never trust always verify! – which can be implemented with the Zero Trust approach.
Trusted access with Zero Trust
First of all, it is important to know that in Zero Trust, every user and every request is considered potentially insecure. Once a user is inside the network, they usually have wide-ranging access to various resources. Zero Trust, on the other hand, assumes that no user or device is automatically trusted, even if it is within that network. Risk and Trust signals are individually checked and authorized for each access attempt, regardless of the user’s network location or device.
In conclusion, trustworthy access in an insecure world can be made possible for everyone through the Zero Trust approach.
A modern (Customer) Identity & Access Management like cidaas is therefore the core building block of an effective Zero Trust implementation, because Zero Trust is unthinkable without user, device and authentication or verification.
cidaas manages to keep the access trustworthy by continuously evaluating risk and trust signals. This means that if the access is trustworthy, the user is forwarded directly to the application. However, if a suspicious behavior is detected during the evaluation, the system automatically uses the Smart MFA approach of cidaas. This includes adaptive multi-factor authentication, which can be activated on a risk basis. If the access is not trustworthy, it is blocked directly.
Even though we are moving in an increasingly insecure world, new approaches and tools are constantly being developed to make access trustworthy and to protect our sensitive data. Therefore, it is necessary for companies, especially with regard to IT security, to always stay on the ball in order not to disappoint the trust of their customers.
Learn more about the Trustworthy Access & Zero Trust approach:
- cidaas Whitepaper on “Complete Zero Trust – The Paradigm Shift in IT Security
- What is “Zero Trust” and why do we need it? (Part 1)
- Cloud, Mobile and Remote-work as Drivers of the Zero Trust Approach (Part 2)
- How Forrester and Google have made Zero Trust mainstream? (Part 3)
- Identity as the Core Building Block of Zero Trust (Part 4)