CIAM

Rela8 Central Roundtable

Written By
Published On
Apr 27, 2022

Listen to the following security and product experts share their insights in the webinar:

  • Jing Gu, Senior Product Marketing Manager at Beyond Identity
  • Kevin Wade, Senior Information Technology Security Manager at Lowe's
  • Richard Malach, Cybersecurity Consultant
  • Jerrold Johnson, Director of Security at Jushi Holdings
  • Luis Ossorio, Director of IT at FROSCH
  • Peter Fisher, Director of Application Product Management at Pearson
  • Linh Calhoun, Chief Marketing Officer at Replacements Ltd
  • Heidi Brown, Director of Product Design at Classy
  • Ali Somani, Director of Software Engineering at RealPage

Transcription

Francesca

So I'd like to introduce you, first of all, to your moderator today, Richard Malach.

Richard

Hello.

Francesca

He will be here to make sure that conversation stays on topic and to make sure that you all get your chance to speak. And, of course, we couldn't have these sessions without our partners. So I'm delighted to introduce our thought leader today, Jing, from Beyond Identity.

Jing

Folks.

Francesca

You'll also see on the screen. You've got a blank box up at the top. And that is our live illustrator, Raquel. So as the session goes on today, she's going to be illustrating in sort of a live time the main takeaway points from today.

So I'll spotlight that at the end for you. And it will also be shared with you after the session. It's all completely anonymized. So if you want to share it across your LinkedIn or anything, please do feel free to do that.

I will be here with my camera off for the next 90 minutes. I'll just be available via the chat function if you need anything at all. So without further ado, I'll hand you over to Richard and I hope you'll enjoy the session.

Richard

Great. Thanks, Francesca. Hey, everybody. How are you all doing today? My name is Richard Malach, and I'll be your moderator. I'll say a little bit about myself.

I've been a cybersecurity consultant for the last 30 years. I've worked in a variety of companies, from great big global enterprises to tiny little startups, in almost every sector you can imagine, from healthcare to government, oil and gas, financial services, gambling and gaming. I'm sure I've missed a few.

I'm currently with an airline at the moment. And we've been spending the last couple of years, while it's been a bit quiet, really fixing all our cyber snafus.

I'm really pleased to have our thought leader, Jing. So why don't you introduce yourself?

Jing

Yeah. Hi, folks. So my name is Jing that's pronounced like "Jingle Bells" without the LE. So, currently, I'm lead product marketing for a passwordless customer authentication product at Beyond Identity.

So I've been pretty involved with the research, build, and go to market for this product. And I'm responsible for basically keeping a pulse on the market with proprietary analysts, third-party research, talking to security engineering products, even marketing roles at various companies.

You know, we're all long-suffering password users, mostly not by choice. And I think the problem is fairly complex. But I'm very passionate about solving this problem because it's a problem that's worth solving, right? Like cybersecurity authentication matters from a security, usability, privacy, as well as a digital accessibility perspective. So, really excited and looking forward to having this discussion with all of you.

Richard

Brilliant. Thanks, Jing. What I want to do, I want to just go round the table. If you can all say who you are, what you do, and really what's top of your mind, what you're really looking to get out today's session. So why don't I start with you, Heidi?

Heidi

Awesome. Hi, I am Heidi Brown. I work for a company called Classy. We help nonprofits connect to donors. So we do fundraising. I am on day three. So I was previously at a company called Remitly that helps immigrants send money abroad, a remittance organization. I lead product design. So all about making beautiful products and making that experience great.

The things that I am interested to learn today, my mind was in somewhere different a couple of weeks ago, and so there's actually a couple things on my mind. One, in a world of B2B2C, what does that mean from someone logging in from that experience? Does the consumer side think they should have the same experience as the on the business side? And if that works across many different companies, how would that customer actually like have this experience in logging in?

I feel like I'm not saying this very succinctly. But I think, generally speaking, when these headlines about the friction that login has with customers, I have actually learned in my history that, sometimes, like in e-commerce standpoint, you don't need that friction. And in other cases, like a remittance organization, you do need that. If you're giving payment information, like, what does that mean? So customers actually have a higher level of expectation from a security standpoint.

So I want to learn. And I'm happy to share. I've worked in many sectors as well, so I'm happy to share some learnings that I've had along the way.

Richard

That's amazing. Thanks, Heidi. Ali, why don't you tell us a bit about yourself? And what's top of your mind?

Ali

Hey, everyone. My name is Ali Somani. I'm here on behalf of, I work for a company called RealPage. And actually, Erik Dahl was supposed to be here, but he couldn't make it tonight, so I attended.

And mostly I'd like to just learn what kind of problems my peers are facing. Maybe if there's something I am facing that's a problem, I'm facing that's similar, I can help or vice versa.

So I don't really have anything specific, a specific agenda in mind. But I will mention that most recently, Erik and I have been working on looking into like zero trust policy and the kinds of changes we'll need to make to adopt that. So that's really a very broad subject, but I just started throwing it out there.

Richard

Brilliant. Thanks, Ali. Kevin, great to see you again. Why don't you introduce yourself and what's top of your mind?

Kevin

Absolutely. Good to see you too, Richard. So my name is Kevin Wade. I am a senior manager in Lowe's Home Improvement working on our cybersecurity risk tools portfolio, which is kind of a broad catch-all portfolio. But in my time, my eight years here at Lowe's, I've been through payments. I've been through identity. I've been through corp, admin, legal. And now, I'm in this spot I'm in, you know, leading a fantastic team.

I think for Lowe's, in general, the biggest concern we have that really dovetails well with this subject is basically looking at the cases of fraud. So customer fraud, hijacked accounts, things along those lines. Online has become such a huge vector for fraud. I think that's probably one of the biggest interests that I have in today's discussion.

Richard

Brilliant. Thanks, Kevin. Linh, if I've pronounced that correctly, why don't you tell us a bit about yourself.

Linh

Yes, I am Linh Calhoun. I am with Replacements, Ltd. And I am listening to everyone introduce themselves. And my perspective will be more specific, perhaps, to the customer experience and hearing more about the technology side related to, how do you better support or what tools there are to support?

We are B2C. And as Kevin just previously mentioned, the fraud component online piece, the security, and how do we continue to think about the authentication we will need to partner with some of the third-party connectors we have to our website over time. So really also probably here more to learn and understand and observe.

Richard

Brilliant. Thanks, Linh. Peter, why don't you tell us a bit about yourself and what's top of your mind?

Peter

Hi, I'm Peter Fisher. I work for an education publisher software company called Pearson. It's a very large company. I head up a group for an online courseware application. And I'm very interested in this topic because we need to balance concerns of data privacy and security against interactivity and ease of use. So interested in how we might improve our offering those with.

Richard

Brilliant. Thanks, Peter. Luis, would you like to introduce yourself?

Luis

Sure. Luis Ossorio. I manage IT and security for a global company called FROSCH. We've got staff in every continent and always interested in everything have to do with security and so love to learn from you guys.

Richard

Great, thanks, Luis. Finally, Jerrold, tell us a bit about yourself and what are you looking to get out of today?

Jerrold

Previously the director of technology and security and surveillance for a company called Jushi Holdings, which is a marijuana company. So the challenges with that, as well as it's an all-CAS industry and trying to get folks to understand about those compliance rules that you have to have to put in place. And, you know, they're kind of freewheeling with it. And it's a challenge to try to get those folks to understand.

So I'm trying to get some more tools and knowledge to understand what it is that I don't know, what it is that I can implement, or what it is that I can take from you guys, what you can learn from me as well.

Richard

Brilliant. Thanks, Jerrold. All right. Well, really great to have you all. Before we get started, just want to remind everybody, it's like even though we're miles and thousands of miles apart, we're having a friendly discussion, friendly round table, everyone's got a thing to say, I'll try and make sure everybody has equal say.

If you've got something to say, either take yourself off mute, raise your virtual hand, drop me a chat, or even do the old...which, surprising enough, I'm actually really good at spotting. So without further ado, let's go to Jing, who's going to set the scene for the day's conversation.

Jing

Yeah, I feel like those intros were really good scene setting. So customer authentication, right, it's the front door to your products. And if we follow that analogy, the front door is supposed to keep the bad guys out and the pests out, but also let the right people in.

It's one of the first interactions that a customer will have with your product, which makes it a high value target for attackers. And where users go, attackers will follow. So as users are moving online, we're seeing just an incredible increase in attacks.

So I think, you know, the stakes for getting it right is very high. But then again, when we say right, there implies that there's a less correct way of doing this.

And, you know, before we even dive into, like, what's the ideal customer experience? Like, that question comes on the heels of, there's something today that is a problem. There's something today that we're all struggling with as consumers and in our professional lives. And, you know, a lot of you have mentioned the friction aspect and usability aspect and balancing that with fraud.

So just given the criticality of the customer experience, let's start from there and just talk through, you know, what frustrates customers about authentication, if that sounds good?

Jerrold

I think the layers, so many layers to kind of get through, right? So I've come from the background of Disney, too. So Disney and their whole authentication process and trying to get through their layers, of the customer getting to the product, right, and so many layers.

Customers want to kind of move around freely is what I've learned through my years at Disney. They just want to move around freely and try and get to the product, get the product, and move away, right? But if we put so many layers that customers are more apt to go to another website, or go somewhere else, or find a product somewhere else.

And somehow, Disney architects has found a way to kind of keep those customers on the page, whether it be, I don't know, some princess dancing across the screen, or whatever it may be. But Disney has found a way to kind of keep those customers alive and thriving, whatever it is that they do.

But I think the biggest thing is so many layers for them to get to what it is that they need. I think that's what any customer, even when you walk into a store, "I don't want so many layers to get to what it is that I'm trying to do."

Richard

Thanks, Jerrold. Heidi.

Heidi

Yeah. I'll add on to what you just said, Jerrold, because I agree with the layers. So when I think about like things that I have learned from customers I have served, so often we do double verification, whether it's MFA, whether it's, you need to provide your email twice, and then you go to your email to verify.

I mean, that's friction right there. Because a customer has to leave the platform that they were just on. And maybe you get them back, and maybe you don't, so that does hurt business.

And then if you don't do that, then we have issues of not keeping the pests out, as you said, Jing. And then we can also have challenges of, let's say, they have their password wrong. Maybe they like, fat fingered their email when they typed it in. So we don't even have their credentials, right? So I feel like there's such tension in what businesses need to do this right and what customers want.

The other thing that I have also seen is that in some scenarios and some businesses, and we have this at Remitly and we do have this at Classy, is that people share accounts. So now what does that mean?

So, you know, and then what if, let's say at Remitly, customers were like five different members in a household were sharing the same account, one person had a different payment method. But those payment methods were attached to the original customer. And so what is attached to that authentication was not necessarily what the customer really wanted.

Richard

Oh, I can see that. Kevin, you're nodding along, what are your thoughts?

Kevin

I think for us being in the home improvement industry, it's an interesting problem that we have in this area, I would think, is we have, not every customer is the same, right? If we look at it, kind of two broad categories, if we break it down a little further.

But for this discussion, I think you can look at your normal average consumer. So do-it-for me or do-it-yourself type consumer who is maybe just going out and buying a refrigerator or an appliance or, you know, some lumber for a backyard project or something along those lines.

Then we have the pro customers. And the pro customers are in a completely different scale and a completely different, you know, "I'm gonna go out and buy 24 washers and dryers at a time" for these vast projects that they have.

And they have very different needs. They have very different wants. At the end of the day, they all want it to be simple and easy for things not to get in their way. But it does make it very challenging because we have two completely different scales of what they want out of their buying experience, you know.

Where your average consumer may be, "My payment details, and my shipping address should match." For the pro, that's not always the case, right? You know, they don't want this massive order to all be delivered to their house or to their place of business. They're gonna want it delivered to the job site. So that suddenly introduces a whole new complication when it comes to any sort of online buying behavior.

Richard

Good. I'm gonna go to Jing, then I'm gonna go to Linh, if I may. Jing.

Jing

Yeah. So, authentication. Like, I hear a lot about, you know, people say, "Oh, visitors come through my website. I see all that traffic. And then I can literally see on the graph where people just drop off a steep cliff because they hit a registration page." And just to put some numbers to that, right, like 67% drops off at account creation, just due to password requirements.

But authentication doesn't stop at registration. It spans the entire customer lifecycle. You know, you have your initial acquisition and registration. You have ongoing engagement at login and retention or recovery. And each of those steps ends up being a friction point for users. And anytime there's friction in the user experience, users typically respond to that by saying, "Oh, I give up" or "I'll try again another day."

I think the reason there's been so much just research around that initial registration piece is, once you lose a customer at a first impression, you might never get them back. If they drop off at login, maybe they'll come back and try to recovery another day.

But if you lose at registration, they might go to a competitor or just kind of give up on the project altogether. So authentication spans the entire lifecycle. It's critical. And anytime there's friction in the experience, people tend to drop off.

At the same time, I don't want to just take friction as public enemy number one, right? I think there's a way that friction can be leveraged, right? So there's a sense in which, like, if you ask me for a two-factor authentication or verification, I expect that from my bank account. The risk levels for that action is different.

So if we can get to a place where authentication can be risk based, right? So risk can look different for different industries, with different customers, like Kevin mentioned, and it can look different for what they're attempting to do.

If I'm just trying to browse an e-commerce website, a lot of e-commerce website will have anonymous browsing. That's totally fine. If I log into my account to make a purchase, there might be guest checkouts, right? And these are the ways that different industries have sort of calibrated to balance friction and usability.

But if I'm trying to go in there and change my account information, get the credit card information, that is a very high-risk action. And if you give me a two-step, that actually makes me feel safer. So I personally don't think friction is public enemy number one. I think when you can get to a place where friction can be strategically leveraged based on risk levels and trust levels within the account, I think that actually is a really good user experience.

And then, the account sharing. But the account sharing piece is also really interesting, right? Account sharing happens all the time. Like, the media companies really struggle with this. I don't even know how many people I have on my Netflix account anymore. Whoops.

Richard: Share prices are tanking because of this.

Jing

Sorry. It's all my fault. But it's an interesting question, right? Because some business models actually do well with an account sharing model. But not having limitations on that is progress and different payment methods attached with different customers, it's also a really interesting question. So I don't have a decisive answer there. But I do think that's a really interesting point to kind of earmark in the conversation.

Richard

Great. Thanks, Jing. Linh, over to you.

Linh

I find this conversation very interesting, because the thing I think about is, I appreciate the reference to leveraging the friction component and to me, what made... This may be very elementary, so please excuse this. But it just makes me wonder, how do you best educate that consumer as to the benefits?

Like it seems like it would be intuitive and understood as to why we are creating these levels of authentication. But sometimes, it's not. And I don't know if it's a demographic and age, which could be me just saying that and/or the user type, how can we think through, because what happens for us is account setup, forget your password, you need to call us, create that friction.

But we can engage with the customer then through conversation, which provides an opportunity, but it is frustrating, and it takes more time. I'm not sure if any of that makes sense. But just thinking through how can we best educate, I guess?

Richard

Yeah. Luis, have you any thoughts? I go to Luis, Peter, then Ali.

Luis

Sure. So risk is something that I'm always looking at. And this conversation brought flashbacks from a prior lifetime. So I always try to use technology to make things friendly to my users. So I turned on SSO very quickly to many of the systems that we use, and all of our users around the world very quickly.

So single sign on is probably the friendliest thing that our population of users will find. And it's probably the thing that will keep frustrations at bay. But risk is something that we all need to analyze. And the human is the weakest link in our security world. So I'm always looking to have more layers of security in my security onion, more, more, more layers. As one gets penetrated, I want to make sure that I have the next one ready to keep our security world.

In an older life, I had to deal with a lot more fraud and risk analysis. And we had additional pieces of information, such as the product code. So when Kevin was talking about his washer and dryer customer, and instead of buying 1, buying 20, so I could be that one customer but I could also be that same customer as an investor that owns a complex with 20 doors or 40 doors, so 120-apartment complexes, and which is a real-life scenario. I happen to be, you know, maybe both.

And so, the product code is something that you can drop in a little bit of extra information into the transaction. So in this prior life, I had to authorize that transaction that came to my host.

So if that information was in there, then I had to deal with, is this a stereo? Or is this a piece of gum that has been bought at a retail store? And what time during the day was this transaction completed? What zip code did this transaction come from?

So there's a lot of information that you can gather. And depending on who the customer is and where it came from, you can extrapolate additional information, associate that with risk. So, security, as you guys can tell, it's something that's very, very interesting to me. And I'm always wanting to learn from you guys, the experts. Thanks.

Richard

Thanks, Luis. Thank you. Peter.

Peter

Hi. Okay. So our products have elements of some of the others' challenges, but our products are usually a supplement to a student's life. And they, while we want them to log in frequently, they don't always. And single sign on goes a long ways. But we also allow them to use our products with both computers as well as mobile devices.

And so a big driver, a big support cost for us is forgot password, even though we have, frankly, really good user flows for resetting passwords and even being able to send them via text, the ability to reset their password. We're not quite there in terms of ease of use, where I think we need to be.

And so, you know, passwordless authentication is interesting. And I understand that, you know, balancing the type of risk with the rigor of the authentication process, I think, we also have additional internal challenges of what authenticated users might be able to do that we need to deal with. But I'm intrigued by the idea of passwordless authentication.

Richard

All right. Thanks, Peter. Ali.

Ali

So, I agree with Peter and Luis when they were talking about SSO. Specifically within my company, we're actually a company of acquisitions. And we've made a lot of acquisitions over the last decade or two. And so, we haven't done, historically, a great job at integrating all of these acquisitions.

So we're a company of companies, and sometimes what it feels like, and so when customers buy multiple products, previously, there was a lot of friction between from one product to another, whether they have to, essentially, re-log in every time. We've since solved that problem with SSO.

And we also support federating with external identity providers. And to give you a background, we sell software to apartment management companies. So they might be a company that buys multiple apartment complexes, and he may need to log in to manage them or do certain kinds of activities based on the product they've bought.

And so one of the things we support is SSO with an existing provider that they already have. So new customers wouldn't necessarily need to have their own username and password for RealPage products. They can just use whatever they're used to. And that kind of leaves the boat in their password, forgetting a password, recovering the password, password complexity, whether or not we need to enforce MFA outside to something that our customers are used to dealing with.

Or if they decide to use our solution for that, that's also fine. But it kind of gives them a little bit more control. So it's all a matter of balancing risk with, you know, the friction that we've been talking about. We allow our customers to kind of decide that, up to a certain extent, we don't want it to be wide open where you can't just not have a password at all either.

Richard

All right. Jing.

Jing

Yeah, I love that part about no passwords. We really want to get rid of friction, let's get rid of the password, but not in the way you imagined.

Richard

So why is it such a dangerous expression, passwordless?

Jing

It really is. It's like, "We'll just get rid of the password." Everyone, come one, come all.

So I want to go back to the point about, you know, like, how do you educate users around this, right? Because engaging with users is really important. And unlike employees, you have no control over the end user of consumer products and services. I think there's three primary ways that I'm seeing companies do this.

One is they're just trying to enable within their product, transparent access and control, right? So that could be a centralized control center for users where they can manage trusted devices, privacy and consent settings, and data sharing permissions, all of those good things. Because transparency and control are kind of the antidote to privacy concerns.

And I think in doing that and having that sort of sell sort of functionality in products actually starts enabling end users to empower themselves around their own digital security and privacy. I think, you know, hand in hand with that... So that's the first way like transferring access and control in user-friendly language accessible within the product.

I think the second thing that goes along with that is habit formation. So, you know, maybe every month, giving them an inept cue that says, "Hey, you haven't checked your trusted devices in quite a while. Like, do you want to take a look?" That they can easily dismiss.

But for, you know, very security-savvy people, you know, that kind of reminder is typically very well received. And for less security-oriented folks, that habit of actually being cued up to kind of check their security posture helps them get in the mindset of, "I have some semblance of control over my identity and security."

And I think the third thing is, as companies and as people who care about this problem, I think, we need to start thinking about how we can start shifting the burden of security from humans to technology. Taking the load off of end users is really important. And it turns out, there are technology out there today that can sort of mitigate some of the risks that comes with passwords and just kind of human errors around there.

We're really prone to phishing, the social engineering schemes work really well. And that means not only can the password be phished. MFA can be phished, right? Notification flooding, they send thousands of notifications to your phone. What do people do? They just click it, and then they're in. And that's a really common attack pattern. Or credential stuffing were previously breached passwords, you know, it happens to all of us, and we reuse passwords.

So how do we start, you know, shifting the burden, right? Personally, I think, you know, our modern devices have come with, you know, local device biometrics that are never transferred over into a cloud. There's proven security protocols like TLS, which secure trillions in transactions daily. And all of our devices have secure enclaves, right? That's the TPM, the hardware part of the device.

There's actually a really interesting lawsuit in the United States where the FBI said to Apple, like, "Hey, like, we need to get it into this criminal's phone." And Apple said, "No, can do. Like, the TPM is what it is, we cannot crack it." So the FBI went to some external firm to try to do that.

The point being, right, there's mechanisms within our devices today that mostly everyone owns that can help organizations move away from authentication with shared secrets and move towards kind of a passwordless world facilitated with local biometrics, asymmetric cryptography.

So to kind of wrap up that thought, right, you want to empower the end users, you want to build these good cybersecurity habits, and sort of in parallel, think about, like, what are the technologies that are available today to really shift the burden from an individual basis, and onto things that have been proven to be secure and work in our current digital infrastructure?

Richard

All right. For me, in the interim, I mean, this is exactly where we want to get to. But for me, in the interim, not having, "Oh, which passwords have got complex passwords, which password stuff to have this extra character, all these characters." And it all seems, sometimes meaningless. Because, really, as we all know, if we have to use passwords, it's length, not complexity, that really... So let's make it easy for everyone.

Anyway, as we move on to our next topic, you know, we really want to understand here how you guys think we can balance friction versus security when evaluating customer authentication solutions, such as MFA? Can I start with you, Kevin?

Kevin

So, I'm actually, I'm gonna go in a slightly different direction real quick. I think this is interesting. And the idea of customer friction is extremely important, you know, obviously.

But to us, there's another component here of the friction equation, and that is internal teams having to track down and deal with potentially hijacked customer accounts trying to protect our customers on their behalf. And that eats a ton of man-hours from teams that don't have a ton of hours to spend, just tracking down these sorts of things.

So one of the things that my team is actually in the process of working on right now is taking because, of course, our customer, you know, credential database is completely separate from our employee database, right? You know, you want those things to be separate. Please. Hopefully.

But if the algorithms that have been set up for the e-commerce site, for the omnichannel site, if it detects some sort of fraudulent activity, rather than sending an alert to a team to do something on behalf of, you know, trying to determine, "Do I lock this account? Do I notify the customer? Like, how do I deal with this?" We're completely taking that part of internal or employee or security operations friction out of the picture, by automating those alerts, sending them to our automation tool that our sock utilizes for any sorts of alerts throughout the entire business.

And that tool is actually going to automatically lock the customer's account and send the customer an email saying, "Hey, we saw something kind of weird. If this was you, you know, don't worry, just click this link to reset your password."

So we're actually looking to automate away some of that internal friction, that, you know, where our internal teams just have these mountains of... Like, our volume is ridiculous. You know, we got close to half a million employees. If you look at the volume that we do, it's insane. There's just isn't enough time in the day to actively chasing down every single alert that we get.

So we're looking to automate some of these things to try and keep our customers safe. Sometimes, despite themselves, you know, for the customers who have, "I use the same password on every single website that I log into." These bad security habits.

But to at least try to keep their information, their payment information, their payment sources, all these sorts of things safe, sometimes, despite themselves. So that's kind of the journey that we're going down right now.

Richard

I can see Luis wanting to say something. And also, I think Jerrold has got something to say. Go on, Luis.

Luis

Yeah, I think that's a pretty bad idea using the same password. So we provide guidance to our population of users. And so, I have my engineers build little, well, I guess, articles, solution, tips and tricks to send. And that's a big no, no. And we automate everything possible.

So when Kevin was talking about having a lot of users, and a lot of requests, and not enough staff, okay, that's all of us. You know, we don't have enough staff. And we don't have enough pennies to go chase every one of those things. But we do have some artificial intelligence, some ML, machine language. And those things are being a little more effective today.

So let's make use of those tools. So those things are being a little more impactful today. And there's these guys up in Bradman that are pushing power automate. Those actually are getting a little friendlier.

So I've spent some time with Microsoft and building some things. And my engineers are doing more things with power automate than power apps. And those are included with the E3, and E1 type of licensing. So I'm doing more of that. And I'm pushing all of my security logs into Sentinel.

So I'm consuming a lot of Microsoft and I give them a lot of money, but I'm getting a little more intel. So my queries out of Sentinel are now producing a little more intelligence. And yeah, but when Kevin said using the same password that part of yours, it's like, okay, we can't fix stupid. But that one, I think we can. Sorry.

Richard

Oh, that's okay. Luis. Jerrold.

Jerrold

Yeah, I definitely agree with Kevin that using the same password is sometimes it's the craziest thing. But I know, at some point, all of us have done it, right? When I have not that understanding that, you know, this is really bad.

And I think also there's a separation when it comes to... Customers want protection, let's not think that they don't want that protection because they absolutely do. But where they want protection is the thing that we need to figure out, right? So there's a separation. There's a separation between my personal information, my credit card information, all of that, my date of birth and all that information, they want protection on that stuff. They absolutely do.

But when it comes to ecommerce and me wanting to just purchase a product, somehow there has to be a separation of the two because they really want to just move around, login, and get their things and move on, right, into the next page. And like, you know, most customers get to that page. And then when they get to authenticate and do something else, they absolutely fall off.

I do it all the time, right? I fall completely off the page, and I find somewhere else to find my product, or either I'll just walk in the store and get it although I don't want to. I want to stay online and purchase it online.

But the separation of the two, between my personal information, credit card information, and all of that information, customers will do all type of authentications to make sure, and they are okay with that. But they will do it simply because, "This is my personal information. I don't want anybody else to have it. So whatever it is that it takes for me to authenticate myself, I'm okay with it."

But when it comes to me buying a pair of socks online, I do not want to go through seven authentications right to try and get a pair of socks. So I think there is some type of separation of the two. So we have to figure out what that fine line is.

Richard

Thanks, Jerrold. So, I'm gonna go to Linh because I thought I saw her flash her hand in the air very briefly. And then we'll go over to Jing. No, Linh? So just go straight to Jing. Okay.

Jing

Yeah. I think a lot of this comes around, you know, the self-remediation aspects of the customer experience. You know, when they can fix their problems themselves, it takes a load off of your support teams and your engineers.

And, you know, like, customer support. I hear a lot of companies just say they spend most of their time dealing with password resets. And that's, you know, part of the reality of the world today. I think when it comes to self-remediation, you can have FAQs that are accessible, you know, automating like I think someone said, I think it Luis who said, you know, engineering contributed FAQs. I think those help articles are really important.

And also, an idea to make those help articles accessible without mandating authentication, right? Like, "If you need to reset your password, here are your steps." If you require that I'm logged in to see your help article about how to reset my password, suddenly, I can't self-remediate that.

I think another really interesting thing to consider is dynamic risk-based policies, right? All applications consume a ton of risk signals and those risk signals, what I hear most frequently is, "I'm a CISO at a company and I'm sitting on a load of risk signals. And there's nothing I can do about them. I can kind of look back at them and see if fraud is happening, if you know there's a security risk here and there." But it's not a preventative thing, right, it's going backwards and retroactively trying to identify risk and dealing with it.

So I think really exciting advancements in risk-based authentication gathers real-time risk signals from the device that is attempting to authenticate. And using those risk signals to kind of informed step-up authentication.

So Impossible Travel is a really good example of this. If I'm logging in from a location that is physically, that I don't see very frequently. For instance, I'm logging in from Turkey. And, you know, the application knows that I'm not in Turkey.

That's an opportunity where you can say, "Hey, like, can you give me your biometrics? Like, I just need to verify that you're actually attempting this." So geolocation can be a really good risk signal for that.

There's another one that's interesting for security verticals, which is jailbroken status. So if your device is jailbroken, it's much more likely to have malware running on it. And, you know, it's inconspicuous, and it's not the user's fault.

But there are companies out there, specifically in the FinTech space, even more specifically in the cryptocurrency space, because people really don't want their crypto accounts to be hacked, who say, "Hey, like, if you're using a jailbroken device, I'm going to need you to give me your biometric verification." Or, "Don't log in from this device, like go to the web app, or until I have a trusted device, you can't gain access to this account."

Like if you're doing Impossible Travel, like logging in from New York, and then two minutes later logging in from Beijing, like, that's impossible. We're gonna block that. Or you can say, "A jailbroken device, if you're really sure, I'm gonna give you a caution sign, you're gonna give me a biometric. So you're making an informed choice."

I think those are all really good ways to kind of inform the user, empower them. And also give them a little bit of a speed bump in the road to say, "Hey, like, are you sure?"

Richard

Good advice, Jing. I'll get to Heidi next, if I can. We're talking about balancing friction and security when evaluating authentication solutions.

Heidi

Yeah. So the one thing I am thinking about right now. Okay. So when it comes to like devices, I feel like there's so much more that we're able to do on our phone. Like, there's so many more things to tap into to really know the user.

What I have also seen is like, for many companies, including the one I'm working for now, a lot of our customers are in desktop. And desktop, I think, there's more challenges at times with desktop. But, actually, I'm not sure if, like, maybe I am naïve to that. And maybe there's been more progress there.

But I think from a desktop-specific standpoint, I've seen more challenges from account takeovers more than mobile because there are... So I'd love to learn from... I don't have any comments other than questions around devices. And specifically, what can companies do on desktop to really make sure that we're letting the right customers in and adding those speed bumps, I like the way you said that, for the customers, that maybe they're not the customer?

Richard

Ali, how do you guys deal with this? Because you cover a whole bunch of companies which you bring together?

Ali

Yeah. I think some of the existing guidance is similar to what we do as well. We have also employee versus customer-type authentication, and the rules and specifications are different for each and they are tunable. Right, so we can change it according to whatever the use case may be.

But specifically, for internal, and I've seen this as well, is we have tools that we leverage. I'm not familiar which tools they are, because I'm not part of the InfoSec team, but that use AI to use location-based information like IP address and your locale and, you know, other mechanism on Reddit, like browser fingerprinting and things of that sort to be able to identify, you know, "This is maybe a device that's in the right place, but I haven't seen it before." Or, "This is the right device, but why is it in New York now when 10 minutes ago, it was, say, in Dallas."

So I think that using data and AI is probably kind of the way to go, maybe going forward. And without necessarily having to increase headcount and doing any kind of manual interactions. And there's a plethora of tools out there that can be leveraged for that.

Richard

Thanks, Ali.

Luis

Let me add a comment to that. The VPNs, depending on where the user is, and my company has users all over the world. And they really do go all over the world. So we do send those messages. "Hey, are you in Paris?" "Yes, we are." "Are you in South Africa?" "Yes, we are."

So depending on where they are, because we see logins... I happen to be in Houston, we see them in that country, and then we see them in Houston because of a VPN software. We might be able to see very two logins in the U.S. and in that country, very close to one another. So it really depends on the that particular user and the software that they have to be using for anonymity or security. So that's the one exception.

But depending on what security client you have, we have like Falcon from CrowdStrike. Then that brings the second piece that will keep you secure. So AI will come back to the rescue and keep you safe.

So there are some ratings that I pay attention to. And that is it the client will give you a little bit of extra information, and Spotlight also tell you, is this a common thing or is it a rare occurrence? And what is the rating of the risk? So those are two of the things that I look at. Thanks.

Richard

All right. Thanks, Luis. If I can maybe go to Peter, and then over to Jing, please.

Peter

I'm thinking about the risk profile and versus our needs. And other than a subset of our users who we don't want to give access to some part of our public offering, the risk is actually kind of low for our users. It's more about, basically, protecting their scores, and the risk of their scores being, you know, hacked and released is much more of a public relations issue for us, versus some student who does poorly on an exam. Nobody really, other than that student and their school really cares.

Part of the risk factor is, if we were to get, you know, hacked or infiltrated, it's more of a public relations issue. And then it comes down to, you know, when that happens, what measures did we take to prevent it? And what's reasonable?

So it's balancing the public relations of a breach, as well as the user. The data that we have about users, which really isn't all that interesting. It's just people love to point out our flaws.

Jing

Yeah, I think the public relations piece is pretty important, right? There was an interesting research from Ponemon Research Institute, I think it was back in 2020, that said, "Publicly-traded companies experience an average stock price decline of 5%, immediately following disclosure of breaches."

And then afterwards, they experienced a lot of issue with like, acquisition, because the longtail of that breach is kind of a loss of trust in the marketplace, which is bad for business. That's the one thing I'll say about that, like, reputation is pretty important, especially when I think every industry has just an incredible amount of competition nowadays.

And the other thing I'll say is, on the mobile versus web experience piece, this is interesting, because I hear this sentiment a lot. Actually, you know, people tell me, mobile experiences are better because we can actually do more device fingerprinting, device identification on mobile. So we put more trust on the app on the phone. Also, because they can verify possession, right? Give me your biometric, your local pin, and I can sort of understand that you own or can access authentication into this phone. So I do hear that a lot.

At the same time. All is not lost on the web front. I think there's two technologies that I think or standards that I think is really interesting on the web. So there is web crypto, and WebAuthn. I think so, both of those allow you to eliminate the password and instead rely on public private key pairing.

The difference is just like why WebAuthn is associated with FIDO. It leverages hardware TPM. Web crypto uses a software TPM, and it runs in the context with the browser. And I think what that allows you to do is, one, you know, you can eliminate the password. Instead of the password, you're using cryptography that can verify the user's identity with much stronger trust.

Also, while there are browser limitations on the web, so you can't do as exact as device fingerprinting as you can maybe on a mobile device. There are some risk signals that you can maybe look at including browser version, operating system, IP address. If it's a known sort of bad actor acting from a known bad IP address, there's a proper term for it, I'm just forgetting it now, VPN enabled status.

So there are some risk signals that you can gather from the browser. It may be less robust. But for a lot of use cases, it is enough to kind of mitigate a huge amount of the risk. And, again, I think FIDO is pretty widely supported as a standard now. So that's one direction to look at, if you're trying to kind of reduce the risk in a sort of desktop web context.

And, you know, if you have a mobile device, and you want to restrict some high-risk actions to adjust a mobile device where you have better control and visibility. There's an argument to be made for, you know, these features, or these capabilities are only accessible on the mobile device, please go and download it from the App Store. So those are those are my thoughts on the conversation so far?

Linh

Can I ask a question? I'm curious. Did you say mobile apps could help provide some level of security? Or you would approach that, the security around an app differently than if you had your website being accessed via mobile?

Jing

So the website being accessed via mobile, so that's the mobile browser. I'm specifically talking about native mobile applications where you can pull some more information about that exact device in the web context on a desktop.

So we go to website, www., whatever. A lot of companies, those web apps are limited by browser limitations. That browser is not necessarily interacting with the device itself. It's kind of an enclosed environment. So that is kind of the way in which you'd have better device identification and finger printing on a native mobile experience versus a web browser experience, because you're necessarily sort of limited by that browser playground, for lack of a better word.

Richard

Sorry. I put my mic on mute while I was pouring myself a glass of water. I didn't want to interrupt the conversation. Right. So we're kind of onto our final topic of discussion, why reducing fraud and account takeover builds long-term customer retention? Perhaps we could start with you, Ali. Well, what are your thoughts from your organization?

Ali

I think it comes down, a little bit. One aspect of it would be what Peter mentioned earlier, and that's the PR aspect of it, right? If you have a breach or you recorded a data breach, or somebody said you had a breach in the public domain, that impacts your ability to retain a certain type of customer, which may be a large group of customers, depending on the product.

But I would just like speak personally, whenever there's some kind of breach for a company that I use, a product that I use. I get a little nervous. I start looking for a competitor, or at least do some kind of analysis and figure out, could this have impacted me or should I be worried? And yeah, so I think the PR aspect of it is pretty critical.

Richard

Thanks, Ali. Kevin, what are your thoughts? Then we'll go to Peter. Sorry, Peter.

Kevin

I completely agree. And being in the retail space, you know, we've seen, you know, the Target breach was pretty big hit for their bottom line for a while. I know they lost market share during that period. It was not good.

And then, the flip side of that are, our main competitor, who shall remain nameless, you know, it seems like they were made out of Teflon when they got hit because I think that news cycle just happened to be focused somewhere else when that occurred. So you're really rolling the dice.

But I think the costs of a breach have just continued to go up and up. You know, and that's brand damage, that's potential liability that you're paying out. I mean, hell, cyber insurance premiums are going up, you know. You're getting hit from multiple angles. And it's just way too big of a risk because if you lose that trust or that confidence that the public places in you as an institution, then that's hard to win back, especially with individuals.

And if you're dealing with a space where your customer base maybe isn't as technical that makes those risks even higher because they just hear breach, and regardless of what the actual facts are it, it can be just a PR nightmare for those who maybe aren't very, you know, deep into the technical aspects of cyber are, which most of the public are. Let's be honest.

Peter

This actually is an acquisition, a customer acquisition topic too, because, you know, we have B2C products, as well as B2B products. And in the B2B products, we are frequently asked by public universities and school districts to answer a pretty lengthy RFP questionnaire, which includes questions about what our security practices are, and how do we authenticate users? And do we follow different standards to do it?

So there is an aspect of, we put things in place so that we can tell our customers, "Yeah, we're the most secure in the market."

Richard

I'll tell you what. Well, let's go to Jerrold, then we'll go to Jing.

Jerrold

Yeah, this part is a real learning aspect to me because, you know, me being in a CAS industry. You know, most of my issues come from, you know, information data. And then, you know, the pharmaceutical, you know, the Virginia State Board of Pharmacy governs what we do. So it is governed by the federal government. So, and it is medicinal here in the state of Virginia.

So the complications of that information getting out is...and then we violate HIPAA laws and all kinds of... It gets so legally complicated when that information from where my perspective is, is trying to get these guys and educate these guys before we get on that platform of cyber and all of that information being released, trying to get them to understand the ramifications of it with the publicity of it.

That gets way out of control from my perspective and me trying to get these guys to understand that this gets way more complicated, especially when we're talking about pharmaceuticals, we're talking about HIPAA, then we're talking about putting some implementations in place for cyber. And we don't have all the protocols around it and trying to get them to understand that, "Listen, this could be a PR nightmare for a cannabis industry who has just gotten started." This industry, right so the cannabis industry is still fairly brand new. Right?

I want to say this without it being so loose. There are no real protocols and laws around cannabis in that way. As you can see, because there are many states that still have them legal, right? But that's because they haven't figured out what the retail the "retail" portion is going to be. And so it gets a little more complicated.

What can we say? That the cyber portion, it gets is so mucky. And they don't quite understand what the ramifications might be. So for me, I'm learning a whole lot of information and understanding what some of this stuff is and is absolutely complicated because you have a lot of people that don't understand.

And, for the most part, we all understand that security takes money away from an organization. It does not bring you any money. So then there's that part, too.

Richard

You know, some security is expensive. Jing.

Jing

Okay. I had a thought. And then Jerrold said his piece. And now, I have more thoughts. So, right, security is seen as a cost center. But you know what? When you do customer authentication right, it drives revenue.

Like just picture, a world is where there's less friction or minimal friction at registration, login, and recovery. Suddenly, your conversion rates are going up. You're acquiring more users. You're engaging more users and you're retaining them. And all of those metrics are metrics that businesses live and die by.

So I think what's really exciting about customer authentication is not just the opportunity to mitigate risk. But to have the opportunity that once you do it right and do it right by your customers and your company, it actually moves the needle forward in terms of revenue.

And that's why I personally think customer authentication is so interesting, compared to, you know, like employee authentication. Employee authentication is also so complicated with, you know, your EDRs, MDRs, and SSOs, and VPOs, and that tech stack. Anyway, so let's... Oh, go ahead.

Jerrold

For the record, I'm gonna use that.

Jing

Yeah. No, take that, and make your argument for why companies need to invest in customer authentication. Like, you want to see your conversion rates come up.

There was one time, I was talking to a quite a large pizza chain in the U.S. And the security folks were really intrigued by, actually, it was an MBP of our product. So at the time, we haven't made our product into SDK form yet, so it wasn't embedded. And they were like, they loved it. Like it's super secure.

And then they bring it to their marketing team. And the marketing says, "Hell, no, you know, you touch my conversion rate by 0.01%. And I'm gonna strike this down." And that was why, you know, for the Secure Customers product, we really took a look at how to improve the user experience. Because once you can do that, you start being able to, like, really generate that revenue.

Okay. Anyway, so on the fraud and retention piece, I think, you know, we're living in a post-Cambridge analytical world, people are less trusting than ever before. Every industry is competitive. And people do business with the brands they trust.

And I think when you put those factors together, solving the fraud piece is not just like a cybersecurity mandate, but it builds better, stronger customer relationships. Like I will do business with companies that I believe are a good stewardesses of my data and privacy. And I think that's because there's so many, you know...it's easy to kind of focus on consumer skepticism.

But on the flip side of that is, if you do security right, and you have proof points around it, like these are the things that our company does, that can be a competitive advantage for your company. Right?

So your consumers are faced with all these options, and there are consumers that would, that more consumers than ever before start factoring in security and privacy into choosing who they want to give their business too.

So, I think more and more, doing customer authentication in a secure way that eliminates fraud and communicating that to the customers ends up giving companies a leg up when they're trying to, you know, get their market share.

Richard

Thanks, Jing. Let's hear from Luis and then Heidi for me.

Luis

So, yeah. I think as you complete the acquisitions, you want to get every one of those employees active and productive and generating revenue. So I think it's important to pay attention to every one of those alerts and warnings and make sure that they feel welcome.

And, you know, you do want to hear from every one of those folks. So I want to make sure that my engineers are being friendly and listening to every one of those new folks and they welcome them. And, you know, we want everybody productive in generating revenue.

So, you know, friction is something that is not welcome. And if we can make a difference and make things a little friendlier for our folks, whether it's all folks or new folks, it's always good.

You know, we don't want customer attrition or employee attrition. You know, we want to keep them happy. I'm having trouble finding more folks. And so, we are trying to hire more and more folks. And we want to keep the good ones.

I've lost some. I'm not gonna keep them in jail, if they find the good gig, you know, more power to them. I still talk to him. I have some really good friends that have left because they found some good stuff. And, you know, again, I'm not going to keep them in jail. But if I find some more good ones, I'm going to bring them over here.

So those are my comments. Thank you for inviting me.

Richard

Well, thanks, Luis. Heidi, what about reducing fraud account take as well, what's also your thoughts on long-term customer retention?

Heidi

Yeah. I'm thinking a little more along the lines of like, sort of KYC things to avoid some of those things. And what I've learned is that I know that it's true that it does cause friction to put all these things in place. What I have actually done at previous companies was actually put in...gamification is like not quite the right word...but it is like you, basically, you put security methods with building value for customers.

So like actually give them something. If they give you something, another great practice is like give them something return. So how can you actually build value? Is there some business thing that you can actually attach to that?

We did this at Remitly. And we also basically put in celebration moments when they unlocked keys to the kingdom. And that actually increased conversion. And like, from a loyalty perspective, customers were staying. And there's been some, like themes that I've heard that I think are really important that I totally agree with from a customer experience perspective.

Like making sure you talk about things that are transparent to the customer and not shock them. Don't speak in ways that, like all of these words we're talking about, the average human has no idea. Like, talk in, like, fifth grade level so they know and understand. And keep it simple. So just reminding us, like, keep it simple. It's really good. Customers do respond to that.

And, yeah, it's like this whole, like, Jing, you kind of said it earlier, too. And I've used those techniques as, basically, you put in, like change the conversation, not that you have to do this, like, "Hey, in order to protect you and your information, this is what we're asking for. And when you do this, this is what we're going to do in return."

And also, whenever a customer is in a bad scenario, I see a lot of companies do this. And it drives me up the wall. So like marketing emails will keep coming because no one's turn those off when there's like a bad breach or something happening. And now the customer is completely like on a different planet. Because now this like bad thing is happening. But you're telling me I need to log in, like you're promoting something.

So actually HelloFresh did an awesome, there was a case study on this. And I love this case study. Basically, if a customer got bad meat, and they had a bad experience, everything was shut down. So communication was shut down. The whole experience of customer log in was to fix the bad meat scenario.

So that like, I've literally used this with my teams, like we're doing the bad meat scenario where like, basically be thoughtful about what the customer needs to do right now and to guide them to fix a problem. And like you will keep their business because you're not distracting them with bells and whistles all over the place. And you're really seeing the customer for what they're going through. So those are some additional thoughts that I've learned along the way.

Richard

Thanks, Heidi. Thank you. We're about a quarter past the hour. So what I want to do next, because we're sort of beaten for time, I know, we could probably carry on talking for a good while longer. It's just go round, and just get everyone's final thoughts or key takeaways. Just one quick thing. I just saw this of interest, actually, while it was what Luis said. On a previous roundtable, we were actually talking about the customer experience.

And there are two real things that really struck me and might be useful in this conversation. The first was that great customer experience looks easy, but it's really difficult to do and it's underpinned by customer identity.

The second thing, actually, is that if you have the great customer experience and the right tools, then it makes your employees a lot happier. Because then they can serve as your customers so much easier as well. And once again, this all starts from that basic foundation of great customer identity and great customer authentication.

And I just thought I'd share those additional thoughts with you guys. So if I can maybe start with you, Jerrold, what are your key takeaways from today's conversation?

Jerrold

My biggest takeaways are just that, right? Just that conversation you just had, you know. Because I come from an industry of customer service and background and retail, right? And so you have to understand, you know, in order to drive customers, you have to have something simplistic. It's just like, you know, hiding the same plain talk, right that plain talk.

In the army, we call it Barney level, right? You speak Barney level to the customers and they understand it a whole lot better, right, instead of speaking in complex terms for which, you know, we all may understand but everybody may not understand.

And, you know, you keep things also what we call simple, dumb, stupid, right? Hate to use those terms, but when you use that terminology, people are more apt to us to understand it a little more and get through things a little easier. You know, as a customer myself, I don't want anything complex for me to happen. So again, going back to what you say, it's exactly what you just said. It's easy to say it harder to implement.

Richard

Thanks, Jerrold. Luis, what are your key takeaways from today's conversation?

Luis

I guess, one of them is that you can't fix stupid. So you just have to keep your eyes and ears open and keep your data feeds. And it's one of the reasons why I like to attend these security invites. If I happen to have a few minutes free, which are not many, I love to visit and hear other opinions.

And I like to stay humble and remind myself that I don't know all the answers. And you guys do. So you guys are connected to all of the real customers. And I want to hear from the folks that are talking to real customers all the time. So I love connecting with real people.

And so I'm an investor. I'm a user. I am everything. So, and I don't have enough pennies. I don't have enough seconds in the day for all the things that I'm supposed to do. And that's why I'm listening to all of you guys. You guys teach me and I'm paying attention.

So you guys see me that I'm doing a gazillion things all at once. So I'm answering a question in Australia, I'm answering a question in Europe. So, but I'm paying attention to what you're saying. Because I have acquisitions going on. And security is very important to me. And I love it. So thank you for inviting me. I do have to jump to another call. And that it's lovely meeting all of you.

Richard

Thank you, Luis. I appreciate you. Thank you. Peter, why don't you tell us what your key takeaways are for today?

Peter

I really liked the point about balancing risk and friction. And we'll take that back to my security partners about how we might be able to manage that a little bit better. I also, you know, it's a bit of a reminder as much as a takeaway, that where we do have friction and ask our users to authenticate, explain why, the purposes of the authentication so that they can appreciate the value of doing so.

Richard

All right. Thank you, Peter. Kevin, what are your key takeaways from today's conversation?

Kevin

The biggest takeaway is just the notion that I'll say the right kind of frictions or friction under the right circumstances or in the right places. All right, Jerrold. But seriously, you know, when utilized in a way that is expected, that friction can actually drive trust, and it can drive that retention because it helps increase the perception that we're being good stewards of our customers' data and our customers' privacy? So I think that's probably the number one takeaway for me.

Richard

Brilliant. Thank you, Kevin. Ali, what are your key takeaways for today?

Ali

Yeah, I tend to agree with, you know, the rest of my peers. It's a balancing act between friction and the customer experience. And we never probably going to be able to eliminate friction completely. But there's ways to do it in a way that maybe it's not that painful, right? So like communicating why we have to do MFA, or what are the benefits of certain things, or communicating when a breach occurs, you know, what the ramifications of the breach of are and what the scope of it is?

And I really like Heidi's idea about like gamifying some of this stuff like, "Hey, let's make this a game. Give them a badge if they complete their MFA process." And it's a pretty decent idea. That's definitely a good takeaway, at least for me. And I'm really thankful for that and also being a part of this conversation.

Richard

Brilliant. Thanks, Ali. And Heidi, what are your key takeaways from today's conversation?

Heidi

Yeah, I think what this conversation illustrates is that the stuff is never-ending. And it always has to be top of mind. It changes all the time. So that's number one for me. And I think it's a good reminder. Also, I love this sort of notions around dynamic authentication and adding friction where it makes sense. The context, I think, is so great.

And what a great like reminder of like really knowing our customers to make sure that we're not doing the same thing for everyone. We do it when it's right. We do it when we need to. So I think just as the whole notion around really dynamic authentication, I think is really important.

And then I think also we talked about, like making sure that products are really enabled to give the control to customers. So they can do that with end products without having extra layers of friction of talking to people, I think, making sure that we're developing those digital forms for our customers to go do that themselves. And self-service is awesome. And thank you, yeah, this conversation was really great.

Richard

Thanks, Heidi. Well, it's been great to have you all round the table. And we've been hugely fortunate to have Jing from Beyond Identity to really share with us some of her wisdom. Jing, do you have any final thoughts for the group, any final bits of advice?

Jing

Honestly, this is a really sophisticated group. Because, a lot of times, I still hear like, "Ah, is friction really that important?" Or, "You know, we want to just prevent all of this fraud."

But I think we covered a lot of ground, right, like friction is not the enemy. But be mindful about it. I think celebration moment, explaining the why, even like progressively onboarding users, just a little bit of sugar helps the authentication friction go down, you know. Keeping it simple, you know, by default. But like, I wouldn't be afraid of putting up some risk-based step-up speed bumps that help keep users safe.

And I think there's also a really good point to be made that when you kind of resolve the friction for users, some of the friction for your internal teams, like engineering and support, that might also go down because users aren't having to reset their passwords as often or at all. So there's also a flip side of the coin of improving user experience is enabling more agility for your internal teams to build cool features and move the product, the company forward.

So that is my piece. This was a great conversation, y'all. You're awesome.

Richard

Oh, thanks, Jing. I appreciate that. Francesca, over to you.

Francesca

Thank you. And thank you all again for your time today. We've really appreciated all of your insights. Thank you to Richard for moderating. And again, thank you to Jing for bringing her insights as well.

As promised, I'm just going to quickly spotlight the illustration. This will all be sent to you. But as you can see, it just gives a really nice overview, sort of all the main discussion points. So thank you very much, Raquel, again, for that.

I'm just going to really quickly put up a six-question multiple choice poll. I'd really appreciate it if you all answer it, it's just so we can get some feedback on our session to ensure we can sort of improve going forward. It will only take a moment to complete. And once you've completed that, please feel free to drop off the call. And I hope you'll enjoy the rest of your day.

Get started with Device360 today
Weekly newsletter
No spam. Just the latest releases and tips, interesting articles, and exclusive interviews in your inbox every week.

Rela8 Central Roundtable

Download

Listen to the following security and product experts share their insights in the webinar:

  • Jing Gu, Senior Product Marketing Manager at Beyond Identity
  • Kevin Wade, Senior Information Technology Security Manager at Lowe's
  • Richard Malach, Cybersecurity Consultant
  • Jerrold Johnson, Director of Security at Jushi Holdings
  • Luis Ossorio, Director of IT at FROSCH
  • Peter Fisher, Director of Application Product Management at Pearson
  • Linh Calhoun, Chief Marketing Officer at Replacements Ltd
  • Heidi Brown, Director of Product Design at Classy
  • Ali Somani, Director of Software Engineering at RealPage

Transcription

Francesca

So I'd like to introduce you, first of all, to your moderator today, Richard Malach.

Richard

Hello.

Francesca

He will be here to make sure that conversation stays on topic and to make sure that you all get your chance to speak. And, of course, we couldn't have these sessions without our partners. So I'm delighted to introduce our thought leader today, Jing, from Beyond Identity.

Jing

Folks.

Francesca

You'll also see on the screen. You've got a blank box up at the top. And that is our live illustrator, Raquel. So as the session goes on today, she's going to be illustrating in sort of a live time the main takeaway points from today.

So I'll spotlight that at the end for you. And it will also be shared with you after the session. It's all completely anonymized. So if you want to share it across your LinkedIn or anything, please do feel free to do that.

I will be here with my camera off for the next 90 minutes. I'll just be available via the chat function if you need anything at all. So without further ado, I'll hand you over to Richard and I hope you'll enjoy the session.

Richard

Great. Thanks, Francesca. Hey, everybody. How are you all doing today? My name is Richard Malach, and I'll be your moderator. I'll say a little bit about myself.

I've been a cybersecurity consultant for the last 30 years. I've worked in a variety of companies, from great big global enterprises to tiny little startups, in almost every sector you can imagine, from healthcare to government, oil and gas, financial services, gambling and gaming. I'm sure I've missed a few.

I'm currently with an airline at the moment. And we've been spending the last couple of years, while it's been a bit quiet, really fixing all our cyber snafus.

I'm really pleased to have our thought leader, Jing. So why don't you introduce yourself?

Jing

Yeah. Hi, folks. So my name is Jing that's pronounced like "Jingle Bells" without the LE. So, currently, I'm lead product marketing for a passwordless customer authentication product at Beyond Identity.

So I've been pretty involved with the research, build, and go to market for this product. And I'm responsible for basically keeping a pulse on the market with proprietary analysts, third-party research, talking to security engineering products, even marketing roles at various companies.

You know, we're all long-suffering password users, mostly not by choice. And I think the problem is fairly complex. But I'm very passionate about solving this problem because it's a problem that's worth solving, right? Like cybersecurity authentication matters from a security, usability, privacy, as well as a digital accessibility perspective. So, really excited and looking forward to having this discussion with all of you.

Richard

Brilliant. Thanks, Jing. What I want to do, I want to just go round the table. If you can all say who you are, what you do, and really what's top of your mind, what you're really looking to get out today's session. So why don't I start with you, Heidi?

Heidi

Awesome. Hi, I am Heidi Brown. I work for a company called Classy. We help nonprofits connect to donors. So we do fundraising. I am on day three. So I was previously at a company called Remitly that helps immigrants send money abroad, a remittance organization. I lead product design. So all about making beautiful products and making that experience great.

The things that I am interested to learn today, my mind was in somewhere different a couple of weeks ago, and so there's actually a couple things on my mind. One, in a world of B2B2C, what does that mean from someone logging in from that experience? Does the consumer side think they should have the same experience as the on the business side? And if that works across many different companies, how would that customer actually like have this experience in logging in?

I feel like I'm not saying this very succinctly. But I think, generally speaking, when these headlines about the friction that login has with customers, I have actually learned in my history that, sometimes, like in e-commerce standpoint, you don't need that friction. And in other cases, like a remittance organization, you do need that. If you're giving payment information, like, what does that mean? So customers actually have a higher level of expectation from a security standpoint.

So I want to learn. And I'm happy to share. I've worked in many sectors as well, so I'm happy to share some learnings that I've had along the way.

Richard

That's amazing. Thanks, Heidi. Ali, why don't you tell us a bit about yourself? And what's top of your mind?

Ali

Hey, everyone. My name is Ali Somani. I'm here on behalf of, I work for a company called RealPage. And actually, Erik Dahl was supposed to be here, but he couldn't make it tonight, so I attended.

And mostly I'd like to just learn what kind of problems my peers are facing. Maybe if there's something I am facing that's a problem, I'm facing that's similar, I can help or vice versa.

So I don't really have anything specific, a specific agenda in mind. But I will mention that most recently, Erik and I have been working on looking into like zero trust policy and the kinds of changes we'll need to make to adopt that. So that's really a very broad subject, but I just started throwing it out there.

Richard

Brilliant. Thanks, Ali. Kevin, great to see you again. Why don't you introduce yourself and what's top of your mind?

Kevin

Absolutely. Good to see you too, Richard. So my name is Kevin Wade. I am a senior manager in Lowe's Home Improvement working on our cybersecurity risk tools portfolio, which is kind of a broad catch-all portfolio. But in my time, my eight years here at Lowe's, I've been through payments. I've been through identity. I've been through corp, admin, legal. And now, I'm in this spot I'm in, you know, leading a fantastic team.

I think for Lowe's, in general, the biggest concern we have that really dovetails well with this subject is basically looking at the cases of fraud. So customer fraud, hijacked accounts, things along those lines. Online has become such a huge vector for fraud. I think that's probably one of the biggest interests that I have in today's discussion.

Richard

Brilliant. Thanks, Kevin. Linh, if I've pronounced that correctly, why don't you tell us a bit about yourself.

Linh

Yes, I am Linh Calhoun. I am with Replacements, Ltd. And I am listening to everyone introduce themselves. And my perspective will be more specific, perhaps, to the customer experience and hearing more about the technology side related to, how do you better support or what tools there are to support?

We are B2C. And as Kevin just previously mentioned, the fraud component online piece, the security, and how do we continue to think about the authentication we will need to partner with some of the third-party connectors we have to our website over time. So really also probably here more to learn and understand and observe.

Richard

Brilliant. Thanks, Linh. Peter, why don't you tell us a bit about yourself and what's top of your mind?

Peter

Hi, I'm Peter Fisher. I work for an education publisher software company called Pearson. It's a very large company. I head up a group for an online courseware application. And I'm very interested in this topic because we need to balance concerns of data privacy and security against interactivity and ease of use. So interested in how we might improve our offering those with.

Richard

Brilliant. Thanks, Peter. Luis, would you like to introduce yourself?

Luis

Sure. Luis Ossorio. I manage IT and security for a global company called FROSCH. We've got staff in every continent and always interested in everything have to do with security and so love to learn from you guys.

Richard

Great, thanks, Luis. Finally, Jerrold, tell us a bit about yourself and what are you looking to get out of today?

Jerrold

Previously the director of technology and security and surveillance for a company called Jushi Holdings, which is a marijuana company. So the challenges with that, as well as it's an all-CAS industry and trying to get folks to understand about those compliance rules that you have to have to put in place. And, you know, they're kind of freewheeling with it. And it's a challenge to try to get those folks to understand.

So I'm trying to get some more tools and knowledge to understand what it is that I don't know, what it is that I can implement, or what it is that I can take from you guys, what you can learn from me as well.

Richard

Brilliant. Thanks, Jerrold. All right. Well, really great to have you all. Before we get started, just want to remind everybody, it's like even though we're miles and thousands of miles apart, we're having a friendly discussion, friendly round table, everyone's got a thing to say, I'll try and make sure everybody has equal say.

If you've got something to say, either take yourself off mute, raise your virtual hand, drop me a chat, or even do the old...which, surprising enough, I'm actually really good at spotting. So without further ado, let's go to Jing, who's going to set the scene for the day's conversation.

Jing

Yeah, I feel like those intros were really good scene setting. So customer authentication, right, it's the front door to your products. And if we follow that analogy, the front door is supposed to keep the bad guys out and the pests out, but also let the right people in.

It's one of the first interactions that a customer will have with your product, which makes it a high value target for attackers. And where users go, attackers will follow. So as users are moving online, we're seeing just an incredible increase in attacks.

So I think, you know, the stakes for getting it right is very high. But then again, when we say right, there implies that there's a less correct way of doing this.

And, you know, before we even dive into, like, what's the ideal customer experience? Like, that question comes on the heels of, there's something today that is a problem. There's something today that we're all struggling with as consumers and in our professional lives. And, you know, a lot of you have mentioned the friction aspect and usability aspect and balancing that with fraud.

So just given the criticality of the customer experience, let's start from there and just talk through, you know, what frustrates customers about authentication, if that sounds good?

Jerrold

I think the layers, so many layers to kind of get through, right? So I've come from the background of Disney, too. So Disney and their whole authentication process and trying to get through their layers, of the customer getting to the product, right, and so many layers.

Customers want to kind of move around freely is what I've learned through my years at Disney. They just want to move around freely and try and get to the product, get the product, and move away, right? But if we put so many layers that customers are more apt to go to another website, or go somewhere else, or find a product somewhere else.

And somehow, Disney architects has found a way to kind of keep those customers on the page, whether it be, I don't know, some princess dancing across the screen, or whatever it may be. But Disney has found a way to kind of keep those customers alive and thriving, whatever it is that they do.

But I think the biggest thing is so many layers for them to get to what it is that they need. I think that's what any customer, even when you walk into a store, "I don't want so many layers to get to what it is that I'm trying to do."

Richard

Thanks, Jerrold. Heidi.

Heidi

Yeah. I'll add on to what you just said, Jerrold, because I agree with the layers. So when I think about like things that I have learned from customers I have served, so often we do double verification, whether it's MFA, whether it's, you need to provide your email twice, and then you go to your email to verify.

I mean, that's friction right there. Because a customer has to leave the platform that they were just on. And maybe you get them back, and maybe you don't, so that does hurt business.

And then if you don't do that, then we have issues of not keeping the pests out, as you said, Jing. And then we can also have challenges of, let's say, they have their password wrong. Maybe they like, fat fingered their email when they typed it in. So we don't even have their credentials, right? So I feel like there's such tension in what businesses need to do this right and what customers want.

The other thing that I have also seen is that in some scenarios and some businesses, and we have this at Remitly and we do have this at Classy, is that people share accounts. So now what does that mean?

So, you know, and then what if, let's say at Remitly, customers were like five different members in a household were sharing the same account, one person had a different payment method. But those payment methods were attached to the original customer. And so what is attached to that authentication was not necessarily what the customer really wanted.

Richard

Oh, I can see that. Kevin, you're nodding along, what are your thoughts?

Kevin

I think for us being in the home improvement industry, it's an interesting problem that we have in this area, I would think, is we have, not every customer is the same, right? If we look at it, kind of two broad categories, if we break it down a little further.

But for this discussion, I think you can look at your normal average consumer. So do-it-for me or do-it-yourself type consumer who is maybe just going out and buying a refrigerator or an appliance or, you know, some lumber for a backyard project or something along those lines.

Then we have the pro customers. And the pro customers are in a completely different scale and a completely different, you know, "I'm gonna go out and buy 24 washers and dryers at a time" for these vast projects that they have.

And they have very different needs. They have very different wants. At the end of the day, they all want it to be simple and easy for things not to get in their way. But it does make it very challenging because we have two completely different scales of what they want out of their buying experience, you know.

Where your average consumer may be, "My payment details, and my shipping address should match." For the pro, that's not always the case, right? You know, they don't want this massive order to all be delivered to their house or to their place of business. They're gonna want it delivered to the job site. So that suddenly introduces a whole new complication when it comes to any sort of online buying behavior.

Richard

Good. I'm gonna go to Jing, then I'm gonna go to Linh, if I may. Jing.

Jing

Yeah. So, authentication. Like, I hear a lot about, you know, people say, "Oh, visitors come through my website. I see all that traffic. And then I can literally see on the graph where people just drop off a steep cliff because they hit a registration page." And just to put some numbers to that, right, like 67% drops off at account creation, just due to password requirements.

But authentication doesn't stop at registration. It spans the entire customer lifecycle. You know, you have your initial acquisition and registration. You have ongoing engagement at login and retention or recovery. And each of those steps ends up being a friction point for users. And anytime there's friction in the user experience, users typically respond to that by saying, "Oh, I give up" or "I'll try again another day."

I think the reason there's been so much just research around that initial registration piece is, once you lose a customer at a first impression, you might never get them back. If they drop off at login, maybe they'll come back and try to recovery another day.

But if you lose at registration, they might go to a competitor or just kind of give up on the project altogether. So authentication spans the entire lifecycle. It's critical. And anytime there's friction in the experience, people tend to drop off.

At the same time, I don't want to just take friction as public enemy number one, right? I think there's a way that friction can be leveraged, right? So there's a sense in which, like, if you ask me for a two-factor authentication or verification, I expect that from my bank account. The risk levels for that action is different.

So if we can get to a place where authentication can be risk based, right? So risk can look different for different industries, with different customers, like Kevin mentioned, and it can look different for what they're attempting to do.

If I'm just trying to browse an e-commerce website, a lot of e-commerce website will have anonymous browsing. That's totally fine. If I log into my account to make a purchase, there might be guest checkouts, right? And these are the ways that different industries have sort of calibrated to balance friction and usability.

But if I'm trying to go in there and change my account information, get the credit card information, that is a very high-risk action. And if you give me a two-step, that actually makes me feel safer. So I personally don't think friction is public enemy number one. I think when you can get to a place where friction can be strategically leveraged based on risk levels and trust levels within the account, I think that actually is a really good user experience.

And then, the account sharing. But the account sharing piece is also really interesting, right? Account sharing happens all the time. Like, the media companies really struggle with this. I don't even know how many people I have on my Netflix account anymore. Whoops.

Richard: Share prices are tanking because of this.

Jing

Sorry. It's all my fault. But it's an interesting question, right? Because some business models actually do well with an account sharing model. But not having limitations on that is progress and different payment methods attached with different customers, it's also a really interesting question. So I don't have a decisive answer there. But I do think that's a really interesting point to kind of earmark in the conversation.

Richard

Great. Thanks, Jing. Linh, over to you.

Linh

I find this conversation very interesting, because the thing I think about is, I appreciate the reference to leveraging the friction component and to me, what made... This may be very elementary, so please excuse this. But it just makes me wonder, how do you best educate that consumer as to the benefits?

Like it seems like it would be intuitive and understood as to why we are creating these levels of authentication. But sometimes, it's not. And I don't know if it's a demographic and age, which could be me just saying that and/or the user type, how can we think through, because what happens for us is account setup, forget your password, you need to call us, create that friction.

But we can engage with the customer then through conversation, which provides an opportunity, but it is frustrating, and it takes more time. I'm not sure if any of that makes sense. But just thinking through how can we best educate, I guess?

Richard

Yeah. Luis, have you any thoughts? I go to Luis, Peter, then Ali.

Luis

Sure. So risk is something that I'm always looking at. And this conversation brought flashbacks from a prior lifetime. So I always try to use technology to make things friendly to my users. So I turned on SSO very quickly to many of the systems that we use, and all of our users around the world very quickly.

So single sign on is probably the friendliest thing that our population of users will find. And it's probably the thing that will keep frustrations at bay. But risk is something that we all need to analyze. And the human is the weakest link in our security world. So I'm always looking to have more layers of security in my security onion, more, more, more layers. As one gets penetrated, I want to make sure that I have the next one ready to keep our security world.

In an older life, I had to deal with a lot more fraud and risk analysis. And we had additional pieces of information, such as the product code. So when Kevin was talking about his washer and dryer customer, and instead of buying 1, buying 20, so I could be that one customer but I could also be that same customer as an investor that owns a complex with 20 doors or 40 doors, so 120-apartment complexes, and which is a real-life scenario. I happen to be, you know, maybe both.

And so, the product code is something that you can drop in a little bit of extra information into the transaction. So in this prior life, I had to authorize that transaction that came to my host.

So if that information was in there, then I had to deal with, is this a stereo? Or is this a piece of gum that has been bought at a retail store? And what time during the day was this transaction completed? What zip code did this transaction come from?

So there's a lot of information that you can gather. And depending on who the customer is and where it came from, you can extrapolate additional information, associate that with risk. So, security, as you guys can tell, it's something that's very, very interesting to me. And I'm always wanting to learn from you guys, the experts. Thanks.

Richard

Thanks, Luis. Thank you. Peter.

Peter

Hi. Okay. So our products have elements of some of the others' challenges, but our products are usually a supplement to a student's life. And they, while we want them to log in frequently, they don't always. And single sign on goes a long ways. But we also allow them to use our products with both computers as well as mobile devices.

And so a big driver, a big support cost for us is forgot password, even though we have, frankly, really good user flows for resetting passwords and even being able to send them via text, the ability to reset their password. We're not quite there in terms of ease of use, where I think we need to be.

And so, you know, passwordless authentication is interesting. And I understand that, you know, balancing the type of risk with the rigor of the authentication process, I think, we also have additional internal challenges of what authenticated users might be able to do that we need to deal with. But I'm intrigued by the idea of passwordless authentication.

Richard

All right. Thanks, Peter. Ali.

Ali

So, I agree with Peter and Luis when they were talking about SSO. Specifically within my company, we're actually a company of acquisitions. And we've made a lot of acquisitions over the last decade or two. And so, we haven't done, historically, a great job at integrating all of these acquisitions.

So we're a company of companies, and sometimes what it feels like, and so when customers buy multiple products, previously, there was a lot of friction between from one product to another, whether they have to, essentially, re-log in every time. We've since solved that problem with SSO.

And we also support federating with external identity providers. And to give you a background, we sell software to apartment management companies. So they might be a company that buys multiple apartment complexes, and he may need to log in to manage them or do certain kinds of activities based on the product they've bought.

And so one of the things we support is SSO with an existing provider that they already have. So new customers wouldn't necessarily need to have their own username and password for RealPage products. They can just use whatever they're used to. And that kind of leaves the boat in their password, forgetting a password, recovering the password, password complexity, whether or not we need to enforce MFA outside to something that our customers are used to dealing with.

Or if they decide to use our solution for that, that's also fine. But it kind of gives them a little bit more control. So it's all a matter of balancing risk with, you know, the friction that we've been talking about. We allow our customers to kind of decide that, up to a certain extent, we don't want it to be wide open where you can't just not have a password at all either.

Richard

All right. Jing.

Jing

Yeah, I love that part about no passwords. We really want to get rid of friction, let's get rid of the password, but not in the way you imagined.

Richard

So why is it such a dangerous expression, passwordless?

Jing

It really is. It's like, "We'll just get rid of the password." Everyone, come one, come all.

So I want to go back to the point about, you know, like, how do you educate users around this, right? Because engaging with users is really important. And unlike employees, you have no control over the end user of consumer products and services. I think there's three primary ways that I'm seeing companies do this.

One is they're just trying to enable within their product, transparent access and control, right? So that could be a centralized control center for users where they can manage trusted devices, privacy and consent settings, and data sharing permissions, all of those good things. Because transparency and control are kind of the antidote to privacy concerns.

And I think in doing that and having that sort of sell sort of functionality in products actually starts enabling end users to empower themselves around their own digital security and privacy. I think, you know, hand in hand with that... So that's the first way like transferring access and control in user-friendly language accessible within the product.

I think the second thing that goes along with that is habit formation. So, you know, maybe every month, giving them an inept cue that says, "Hey, you haven't checked your trusted devices in quite a while. Like, do you want to take a look?" That they can easily dismiss.

But for, you know, very security-savvy people, you know, that kind of reminder is typically very well received. And for less security-oriented folks, that habit of actually being cued up to kind of check their security posture helps them get in the mindset of, "I have some semblance of control over my identity and security."

And I think the third thing is, as companies and as people who care about this problem, I think, we need to start thinking about how we can start shifting the burden of security from humans to technology. Taking the load off of end users is really important. And it turns out, there are technology out there today that can sort of mitigate some of the risks that comes with passwords and just kind of human errors around there.

We're really prone to phishing, the social engineering schemes work really well. And that means not only can the password be phished. MFA can be phished, right? Notification flooding, they send thousands of notifications to your phone. What do people do? They just click it, and then they're in. And that's a really common attack pattern. Or credential stuffing were previously breached passwords, you know, it happens to all of us, and we reuse passwords.

So how do we start, you know, shifting the burden, right? Personally, I think, you know, our modern devices have come with, you know, local device biometrics that are never transferred over into a cloud. There's proven security protocols like TLS, which secure trillions in transactions daily. And all of our devices have secure enclaves, right? That's the TPM, the hardware part of the device.

There's actually a really interesting lawsuit in the United States where the FBI said to Apple, like, "Hey, like, we need to get it into this criminal's phone." And Apple said, "No, can do. Like, the TPM is what it is, we cannot crack it." So the FBI went to some external firm to try to do that.

The point being, right, there's mechanisms within our devices today that mostly everyone owns that can help organizations move away from authentication with shared secrets and move towards kind of a passwordless world facilitated with local biometrics, asymmetric cryptography.

So to kind of wrap up that thought, right, you want to empower the end users, you want to build these good cybersecurity habits, and sort of in parallel, think about, like, what are the technologies that are available today to really shift the burden from an individual basis, and onto things that have been proven to be secure and work in our current digital infrastructure?

Richard

All right. For me, in the interim, I mean, this is exactly where we want to get to. But for me, in the interim, not having, "Oh, which passwords have got complex passwords, which password stuff to have this extra character, all these characters." And it all seems, sometimes meaningless. Because, really, as we all know, if we have to use passwords, it's length, not complexity, that really... So let's make it easy for everyone.

Anyway, as we move on to our next topic, you know, we really want to understand here how you guys think we can balance friction versus security when evaluating customer authentication solutions, such as MFA? Can I start with you, Kevin?

Kevin

So, I'm actually, I'm gonna go in a slightly different direction real quick. I think this is interesting. And the idea of customer friction is extremely important, you know, obviously.

But to us, there's another component here of the friction equation, and that is internal teams having to track down and deal with potentially hijacked customer accounts trying to protect our customers on their behalf. And that eats a ton of man-hours from teams that don't have a ton of hours to spend, just tracking down these sorts of things.

So one of the things that my team is actually in the process of working on right now is taking because, of course, our customer, you know, credential database is completely separate from our employee database, right? You know, you want those things to be separate. Please. Hopefully.

But if the algorithms that have been set up for the e-commerce site, for the omnichannel site, if it detects some sort of fraudulent activity, rather than sending an alert to a team to do something on behalf of, you know, trying to determine, "Do I lock this account? Do I notify the customer? Like, how do I deal with this?" We're completely taking that part of internal or employee or security operations friction out of the picture, by automating those alerts, sending them to our automation tool that our sock utilizes for any sorts of alerts throughout the entire business.

And that tool is actually going to automatically lock the customer's account and send the customer an email saying, "Hey, we saw something kind of weird. If this was you, you know, don't worry, just click this link to reset your password."

So we're actually looking to automate away some of that internal friction, that, you know, where our internal teams just have these mountains of... Like, our volume is ridiculous. You know, we got close to half a million employees. If you look at the volume that we do, it's insane. There's just isn't enough time in the day to actively chasing down every single alert that we get.

So we're looking to automate some of these things to try and keep our customers safe. Sometimes, despite themselves, you know, for the customers who have, "I use the same password on every single website that I log into." These bad security habits.

But to at least try to keep their information, their payment information, their payment sources, all these sorts of things safe, sometimes, despite themselves. So that's kind of the journey that we're going down right now.

Richard

I can see Luis wanting to say something. And also, I think Jerrold has got something to say. Go on, Luis.

Luis

Yeah, I think that's a pretty bad idea using the same password. So we provide guidance to our population of users. And so, I have my engineers build little, well, I guess, articles, solution, tips and tricks to send. And that's a big no, no. And we automate everything possible.

So when Kevin was talking about having a lot of users, and a lot of requests, and not enough staff, okay, that's all of us. You know, we don't have enough staff. And we don't have enough pennies to go chase every one of those things. But we do have some artificial intelligence, some ML, machine language. And those things are being a little more effective today.

So let's make use of those tools. So those things are being a little more impactful today. And there's these guys up in Bradman that are pushing power automate. Those actually are getting a little friendlier.

So I've spent some time with Microsoft and building some things. And my engineers are doing more things with power automate than power apps. And those are included with the E3, and E1 type of licensing. So I'm doing more of that. And I'm pushing all of my security logs into Sentinel.

So I'm consuming a lot of Microsoft and I give them a lot of money, but I'm getting a little more intel. So my queries out of Sentinel are now producing a little more intelligence. And yeah, but when Kevin said using the same password that part of yours, it's like, okay, we can't fix stupid. But that one, I think we can. Sorry.

Richard

Oh, that's okay. Luis. Jerrold.

Jerrold

Yeah, I definitely agree with Kevin that using the same password is sometimes it's the craziest thing. But I know, at some point, all of us have done it, right? When I have not that understanding that, you know, this is really bad.

And I think also there's a separation when it comes to... Customers want protection, let's not think that they don't want that protection because they absolutely do. But where they want protection is the thing that we need to figure out, right? So there's a separation. There's a separation between my personal information, my credit card information, all of that, my date of birth and all that information, they want protection on that stuff. They absolutely do.

But when it comes to ecommerce and me wanting to just purchase a product, somehow there has to be a separation of the two because they really want to just move around, login, and get their things and move on, right, into the next page. And like, you know, most customers get to that page. And then when they get to authenticate and do something else, they absolutely fall off.

I do it all the time, right? I fall completely off the page, and I find somewhere else to find my product, or either I'll just walk in the store and get it although I don't want to. I want to stay online and purchase it online.

But the separation of the two, between my personal information, credit card information, and all of that information, customers will do all type of authentications to make sure, and they are okay with that. But they will do it simply because, "This is my personal information. I don't want anybody else to have it. So whatever it is that it takes for me to authenticate myself, I'm okay with it."

But when it comes to me buying a pair of socks online, I do not want to go through seven authentications right to try and get a pair of socks. So I think there is some type of separation of the two. So we have to figure out what that fine line is.

Richard

Thanks, Jerrold. So, I'm gonna go to Linh because I thought I saw her flash her hand in the air very briefly. And then we'll go over to Jing. No, Linh? So just go straight to Jing. Okay.

Jing

Yeah. I think a lot of this comes around, you know, the self-remediation aspects of the customer experience. You know, when they can fix their problems themselves, it takes a load off of your support teams and your engineers.

And, you know, like, customer support. I hear a lot of companies just say they spend most of their time dealing with password resets. And that's, you know, part of the reality of the world today. I think when it comes to self-remediation, you can have FAQs that are accessible, you know, automating like I think someone said, I think it Luis who said, you know, engineering contributed FAQs. I think those help articles are really important.

And also, an idea to make those help articles accessible without mandating authentication, right? Like, "If you need to reset your password, here are your steps." If you require that I'm logged in to see your help article about how to reset my password, suddenly, I can't self-remediate that.

I think another really interesting thing to consider is dynamic risk-based policies, right? All applications consume a ton of risk signals and those risk signals, what I hear most frequently is, "I'm a CISO at a company and I'm sitting on a load of risk signals. And there's nothing I can do about them. I can kind of look back at them and see if fraud is happening, if you know there's a security risk here and there." But it's not a preventative thing, right, it's going backwards and retroactively trying to identify risk and dealing with it.

So I think really exciting advancements in risk-based authentication gathers real-time risk signals from the device that is attempting to authenticate. And using those risk signals to kind of informed step-up authentication.

So Impossible Travel is a really good example of this. If I'm logging in from a location that is physically, that I don't see very frequently. For instance, I'm logging in from Turkey. And, you know, the application knows that I'm not in Turkey.

That's an opportunity where you can say, "Hey, like, can you give me your biometrics? Like, I just need to verify that you're actually attempting this." So geolocation can be a really good risk signal for that.

There's another one that's interesting for security verticals, which is jailbroken status. So if your device is jailbroken, it's much more likely to have malware running on it. And, you know, it's inconspicuous, and it's not the user's fault.

But there are companies out there, specifically in the FinTech space, even more specifically in the cryptocurrency space, because people really don't want their crypto accounts to be hacked, who say, "Hey, like, if you're using a jailbroken device, I'm going to need you to give me your biometric verification." Or, "Don't log in from this device, like go to the web app, or until I have a trusted device, you can't gain access to this account."

Like if you're doing Impossible Travel, like logging in from New York, and then two minutes later logging in from Beijing, like, that's impossible. We're gonna block that. Or you can say, "A jailbroken device, if you're really sure, I'm gonna give you a caution sign, you're gonna give me a biometric. So you're making an informed choice."

I think those are all really good ways to kind of inform the user, empower them. And also give them a little bit of a speed bump in the road to say, "Hey, like, are you sure?"

Richard

Good advice, Jing. I'll get to Heidi next, if I can. We're talking about balancing friction and security when evaluating authentication solutions.

Heidi

Yeah. So the one thing I am thinking about right now. Okay. So when it comes to like devices, I feel like there's so much more that we're able to do on our phone. Like, there's so many more things to tap into to really know the user.

What I have also seen is like, for many companies, including the one I'm working for now, a lot of our customers are in desktop. And desktop, I think, there's more challenges at times with desktop. But, actually, I'm not sure if, like, maybe I am naïve to that. And maybe there's been more progress there.

But I think from a desktop-specific standpoint, I've seen more challenges from account takeovers more than mobile because there are... So I'd love to learn from... I don't have any comments other than questions around devices. And specifically, what can companies do on desktop to really make sure that we're letting the right customers in and adding those speed bumps, I like the way you said that, for the customers, that maybe they're not the customer?

Richard

Ali, how do you guys deal with this? Because you cover a whole bunch of companies which you bring together?

Ali

Yeah. I think some of the existing guidance is similar to what we do as well. We have also employee versus customer-type authentication, and the rules and specifications are different for each and they are tunable. Right, so we can change it according to whatever the use case may be.

But specifically, for internal, and I've seen this as well, is we have tools that we leverage. I'm not familiar which tools they are, because I'm not part of the InfoSec team, but that use AI to use location-based information like IP address and your locale and, you know, other mechanism on Reddit, like browser fingerprinting and things of that sort to be able to identify, you know, "This is maybe a device that's in the right place, but I haven't seen it before." Or, "This is the right device, but why is it in New York now when 10 minutes ago, it was, say, in Dallas."

So I think that using data and AI is probably kind of the way to go, maybe going forward. And without necessarily having to increase headcount and doing any kind of manual interactions. And there's a plethora of tools out there that can be leveraged for that.

Richard

Thanks, Ali.

Luis

Let me add a comment to that. The VPNs, depending on where the user is, and my company has users all over the world. And they really do go all over the world. So we do send those messages. "Hey, are you in Paris?" "Yes, we are." "Are you in South Africa?" "Yes, we are."

So depending on where they are, because we see logins... I happen to be in Houston, we see them in that country, and then we see them in Houston because of a VPN software. We might be able to see very two logins in the U.S. and in that country, very close to one another. So it really depends on the that particular user and the software that they have to be using for anonymity or security. So that's the one exception.

But depending on what security client you have, we have like Falcon from CrowdStrike. Then that brings the second piece that will keep you secure. So AI will come back to the rescue and keep you safe.

So there are some ratings that I pay attention to. And that is it the client will give you a little bit of extra information, and Spotlight also tell you, is this a common thing or is it a rare occurrence? And what is the rating of the risk? So those are two of the things that I look at. Thanks.

Richard

All right. Thanks, Luis. If I can maybe go to Peter, and then over to Jing, please.

Peter

I'm thinking about the risk profile and versus our needs. And other than a subset of our users who we don't want to give access to some part of our public offering, the risk is actually kind of low for our users. It's more about, basically, protecting their scores, and the risk of their scores being, you know, hacked and released is much more of a public relations issue for us, versus some student who does poorly on an exam. Nobody really, other than that student and their school really cares.

Part of the risk factor is, if we were to get, you know, hacked or infiltrated, it's more of a public relations issue. And then it comes down to, you know, when that happens, what measures did we take to prevent it? And what's reasonable?

So it's balancing the public relations of a breach, as well as the user. The data that we have about users, which really isn't all that interesting. It's just people love to point out our flaws.

Jing

Yeah, I think the public relations piece is pretty important, right? There was an interesting research from Ponemon Research Institute, I think it was back in 2020, that said, "Publicly-traded companies experience an average stock price decline of 5%, immediately following disclosure of breaches."

And then afterwards, they experienced a lot of issue with like, acquisition, because the longtail of that breach is kind of a loss of trust in the marketplace, which is bad for business. That's the one thing I'll say about that, like, reputation is pretty important, especially when I think every industry has just an incredible amount of competition nowadays.

And the other thing I'll say is, on the mobile versus web experience piece, this is interesting, because I hear this sentiment a lot. Actually, you know, people tell me, mobile experiences are better because we can actually do more device fingerprinting, device identification on mobile. So we put more trust on the app on the phone. Also, because they can verify possession, right? Give me your biometric, your local pin, and I can sort of understand that you own or can access authentication into this phone. So I do hear that a lot.

At the same time. All is not lost on the web front. I think there's two technologies that I think or standards that I think is really interesting on the web. So there is web crypto, and WebAuthn. I think so, both of those allow you to eliminate the password and instead rely on public private key pairing.

The difference is just like why WebAuthn is associated with FIDO. It leverages hardware TPM. Web crypto uses a software TPM, and it runs in the context with the browser. And I think what that allows you to do is, one, you know, you can eliminate the password. Instead of the password, you're using cryptography that can verify the user's identity with much stronger trust.

Also, while there are browser limitations on the web, so you can't do as exact as device fingerprinting as you can maybe on a mobile device. There are some risk signals that you can maybe look at including browser version, operating system, IP address. If it's a known sort of bad actor acting from a known bad IP address, there's a proper term for it, I'm just forgetting it now, VPN enabled status.

So there are some risk signals that you can gather from the browser. It may be less robust. But for a lot of use cases, it is enough to kind of mitigate a huge amount of the risk. And, again, I think FIDO is pretty widely supported as a standard now. So that's one direction to look at, if you're trying to kind of reduce the risk in a sort of desktop web context.

And, you know, if you have a mobile device, and you want to restrict some high-risk actions to adjust a mobile device where you have better control and visibility. There's an argument to be made for, you know, these features, or these capabilities are only accessible on the mobile device, please go and download it from the App Store. So those are those are my thoughts on the conversation so far?

Linh

Can I ask a question? I'm curious. Did you say mobile apps could help provide some level of security? Or you would approach that, the security around an app differently than if you had your website being accessed via mobile?

Jing

So the website being accessed via mobile, so that's the mobile browser. I'm specifically talking about native mobile applications where you can pull some more information about that exact device in the web context on a desktop.

So we go to website, www., whatever. A lot of companies, those web apps are limited by browser limitations. That browser is not necessarily interacting with the device itself. It's kind of an enclosed environment. So that is kind of the way in which you'd have better device identification and finger printing on a native mobile experience versus a web browser experience, because you're necessarily sort of limited by that browser playground, for lack of a better word.

Richard

Sorry. I put my mic on mute while I was pouring myself a glass of water. I didn't want to interrupt the conversation. Right. So we're kind of onto our final topic of discussion, why reducing fraud and account takeover builds long-term customer retention? Perhaps we could start with you, Ali. Well, what are your thoughts from your organization?

Ali

I think it comes down, a little bit. One aspect of it would be what Peter mentioned earlier, and that's the PR aspect of it, right? If you have a breach or you recorded a data breach, or somebody said you had a breach in the public domain, that impacts your ability to retain a certain type of customer, which may be a large group of customers, depending on the product.

But I would just like speak personally, whenever there's some kind of breach for a company that I use, a product that I use. I get a little nervous. I start looking for a competitor, or at least do some kind of analysis and figure out, could this have impacted me or should I be worried? And yeah, so I think the PR aspect of it is pretty critical.

Richard

Thanks, Ali. Kevin, what are your thoughts? Then we'll go to Peter. Sorry, Peter.

Kevin

I completely agree. And being in the retail space, you know, we've seen, you know, the Target breach was pretty big hit for their bottom line for a while. I know they lost market share during that period. It was not good.

And then, the flip side of that are, our main competitor, who shall remain nameless, you know, it seems like they were made out of Teflon when they got hit because I think that news cycle just happened to be focused somewhere else when that occurred. So you're really rolling the dice.

But I think the costs of a breach have just continued to go up and up. You know, and that's brand damage, that's potential liability that you're paying out. I mean, hell, cyber insurance premiums are going up, you know. You're getting hit from multiple angles. And it's just way too big of a risk because if you lose that trust or that confidence that the public places in you as an institution, then that's hard to win back, especially with individuals.

And if you're dealing with a space where your customer base maybe isn't as technical that makes those risks even higher because they just hear breach, and regardless of what the actual facts are it, it can be just a PR nightmare for those who maybe aren't very, you know, deep into the technical aspects of cyber are, which most of the public are. Let's be honest.

Peter

This actually is an acquisition, a customer acquisition topic too, because, you know, we have B2C products, as well as B2B products. And in the B2B products, we are frequently asked by public universities and school districts to answer a pretty lengthy RFP questionnaire, which includes questions about what our security practices are, and how do we authenticate users? And do we follow different standards to do it?

So there is an aspect of, we put things in place so that we can tell our customers, "Yeah, we're the most secure in the market."

Richard

I'll tell you what. Well, let's go to Jerrold, then we'll go to Jing.

Jerrold

Yeah, this part is a real learning aspect to me because, you know, me being in a CAS industry. You know, most of my issues come from, you know, information data. And then, you know, the pharmaceutical, you know, the Virginia State Board of Pharmacy governs what we do. So it is governed by the federal government. So, and it is medicinal here in the state of Virginia.

So the complications of that information getting out is...and then we violate HIPAA laws and all kinds of... It gets so legally complicated when that information from where my perspective is, is trying to get these guys and educate these guys before we get on that platform of cyber and all of that information being released, trying to get them to understand the ramifications of it with the publicity of it.

That gets way out of control from my perspective and me trying to get these guys to understand that this gets way more complicated, especially when we're talking about pharmaceuticals, we're talking about HIPAA, then we're talking about putting some implementations in place for cyber. And we don't have all the protocols around it and trying to get them to understand that, "Listen, this could be a PR nightmare for a cannabis industry who has just gotten started." This industry, right so the cannabis industry is still fairly brand new. Right?

I want to say this without it being so loose. There are no real protocols and laws around cannabis in that way. As you can see, because there are many states that still have them legal, right? But that's because they haven't figured out what the retail the "retail" portion is going to be. And so it gets a little more complicated.

What can we say? That the cyber portion, it gets is so mucky. And they don't quite understand what the ramifications might be. So for me, I'm learning a whole lot of information and understanding what some of this stuff is and is absolutely complicated because you have a lot of people that don't understand.

And, for the most part, we all understand that security takes money away from an organization. It does not bring you any money. So then there's that part, too.

Richard

You know, some security is expensive. Jing.

Jing

Okay. I had a thought. And then Jerrold said his piece. And now, I have more thoughts. So, right, security is seen as a cost center. But you know what? When you do customer authentication right, it drives revenue.

Like just picture, a world is where there's less friction or minimal friction at registration, login, and recovery. Suddenly, your conversion rates are going up. You're acquiring more users. You're engaging more users and you're retaining them. And all of those metrics are metrics that businesses live and die by.

So I think what's really exciting about customer authentication is not just the opportunity to mitigate risk. But to have the opportunity that once you do it right and do it right by your customers and your company, it actually moves the needle forward in terms of revenue.

And that's why I personally think customer authentication is so interesting, compared to, you know, like employee authentication. Employee authentication is also so complicated with, you know, your EDRs, MDRs, and SSOs, and VPOs, and that tech stack. Anyway, so let's... Oh, go ahead.

Jerrold

For the record, I'm gonna use that.

Jing

Yeah. No, take that, and make your argument for why companies need to invest in customer authentication. Like, you want to see your conversion rates come up.

There was one time, I was talking to a quite a large pizza chain in the U.S. And the security folks were really intrigued by, actually, it was an MBP of our product. So at the time, we haven't made our product into SDK form yet, so it wasn't embedded. And they were like, they loved it. Like it's super secure.

And then they bring it to their marketing team. And the marketing says, "Hell, no, you know, you touch my conversion rate by 0.01%. And I'm gonna strike this down." And that was why, you know, for the Secure Customers product, we really took a look at how to improve the user experience. Because once you can do that, you start being able to, like, really generate that revenue.

Okay. Anyway, so on the fraud and retention piece, I think, you know, we're living in a post-Cambridge analytical world, people are less trusting than ever before. Every industry is competitive. And people do business with the brands they trust.

And I think when you put those factors together, solving the fraud piece is not just like a cybersecurity mandate, but it builds better, stronger customer relationships. Like I will do business with companies that I believe are a good stewardesses of my data and privacy. And I think that's because there's so many, you know...it's easy to kind of focus on consumer skepticism.

But on the flip side of that is, if you do security right, and you have proof points around it, like these are the things that our company does, that can be a competitive advantage for your company. Right?

So your consumers are faced with all these options, and there are consumers that would, that more consumers than ever before start factoring in security and privacy into choosing who they want to give their business too.

So, I think more and more, doing customer authentication in a secure way that eliminates fraud and communicating that to the customers ends up giving companies a leg up when they're trying to, you know, get their market share.

Richard

Thanks, Jing. Let's hear from Luis and then Heidi for me.

Luis

So, yeah. I think as you complete the acquisitions, you want to get every one of those employees active and productive and generating revenue. So I think it's important to pay attention to every one of those alerts and warnings and make sure that they feel welcome.

And, you know, you do want to hear from every one of those folks. So I want to make sure that my engineers are being friendly and listening to every one of those new folks and they welcome them. And, you know, we want everybody productive in generating revenue.

So, you know, friction is something that is not welcome. And if we can make a difference and make things a little friendlier for our folks, whether it's all folks or new folks, it's always good.

You know, we don't want customer attrition or employee attrition. You know, we want to keep them happy. I'm having trouble finding more folks. And so, we are trying to hire more and more folks. And we want to keep the good ones.

I've lost some. I'm not gonna keep them in jail, if they find the good gig, you know, more power to them. I still talk to him. I have some really good friends that have left because they found some good stuff. And, you know, again, I'm not going to keep them in jail. But if I find some more good ones, I'm going to bring them over here.

So those are my comments. Thank you for inviting me.

Richard

Well, thanks, Luis. Heidi, what about reducing fraud account take as well, what's also your thoughts on long-term customer retention?

Heidi

Yeah. I'm thinking a little more along the lines of like, sort of KYC things to avoid some of those things. And what I've learned is that I know that it's true that it does cause friction to put all these things in place. What I have actually done at previous companies was actually put in...gamification is like not quite the right word...but it is like you, basically, you put security methods with building value for customers.

So like actually give them something. If they give you something, another great practice is like give them something return. So how can you actually build value? Is there some business thing that you can actually attach to that?

We did this at Remitly. And we also basically put in celebration moments when they unlocked keys to the kingdom. And that actually increased conversion. And like, from a loyalty perspective, customers were staying. And there's been some, like themes that I've heard that I think are really important that I totally agree with from a customer experience perspective.

Like making sure you talk about things that are transparent to the customer and not shock them. Don't speak in ways that, like all of these words we're talking about, the average human has no idea. Like, talk in, like, fifth grade level so they know and understand. And keep it simple. So just reminding us, like, keep it simple. It's really good. Customers do respond to that.

And, yeah, it's like this whole, like, Jing, you kind of said it earlier, too. And I've used those techniques as, basically, you put in, like change the conversation, not that you have to do this, like, "Hey, in order to protect you and your information, this is what we're asking for. And when you do this, this is what we're going to do in return."

And also, whenever a customer is in a bad scenario, I see a lot of companies do this. And it drives me up the wall. So like marketing emails will keep coming because no one's turn those off when there's like a bad breach or something happening. And now the customer is completely like on a different planet. Because now this like bad thing is happening. But you're telling me I need to log in, like you're promoting something.

So actually HelloFresh did an awesome, there was a case study on this. And I love this case study. Basically, if a customer got bad meat, and they had a bad experience, everything was shut down. So communication was shut down. The whole experience of customer log in was to fix the bad meat scenario.

So that like, I've literally used this with my teams, like we're doing the bad meat scenario where like, basically be thoughtful about what the customer needs to do right now and to guide them to fix a problem. And like you will keep their business because you're not distracting them with bells and whistles all over the place. And you're really seeing the customer for what they're going through. So those are some additional thoughts that I've learned along the way.

Richard

Thanks, Heidi. Thank you. We're about a quarter past the hour. So what I want to do next, because we're sort of beaten for time, I know, we could probably carry on talking for a good while longer. It's just go round, and just get everyone's final thoughts or key takeaways. Just one quick thing. I just saw this of interest, actually, while it was what Luis said. On a previous roundtable, we were actually talking about the customer experience.

And there are two real things that really struck me and might be useful in this conversation. The first was that great customer experience looks easy, but it's really difficult to do and it's underpinned by customer identity.

The second thing, actually, is that if you have the great customer experience and the right tools, then it makes your employees a lot happier. Because then they can serve as your customers so much easier as well. And once again, this all starts from that basic foundation of great customer identity and great customer authentication.

And I just thought I'd share those additional thoughts with you guys. So if I can maybe start with you, Jerrold, what are your key takeaways from today's conversation?

Jerrold

My biggest takeaways are just that, right? Just that conversation you just had, you know. Because I come from an industry of customer service and background and retail, right? And so you have to understand, you know, in order to drive customers, you have to have something simplistic. It's just like, you know, hiding the same plain talk, right that plain talk.

In the army, we call it Barney level, right? You speak Barney level to the customers and they understand it a whole lot better, right, instead of speaking in complex terms for which, you know, we all may understand but everybody may not understand.

And, you know, you keep things also what we call simple, dumb, stupid, right? Hate to use those terms, but when you use that terminology, people are more apt to us to understand it a little more and get through things a little easier. You know, as a customer myself, I don't want anything complex for me to happen. So again, going back to what you say, it's exactly what you just said. It's easy to say it harder to implement.

Richard

Thanks, Jerrold. Luis, what are your key takeaways from today's conversation?

Luis

I guess, one of them is that you can't fix stupid. So you just have to keep your eyes and ears open and keep your data feeds. And it's one of the reasons why I like to attend these security invites. If I happen to have a few minutes free, which are not many, I love to visit and hear other opinions.

And I like to stay humble and remind myself that I don't know all the answers. And you guys do. So you guys are connected to all of the real customers. And I want to hear from the folks that are talking to real customers all the time. So I love connecting with real people.

And so I'm an investor. I'm a user. I am everything. So, and I don't have enough pennies. I don't have enough seconds in the day for all the things that I'm supposed to do. And that's why I'm listening to all of you guys. You guys teach me and I'm paying attention.

So you guys see me that I'm doing a gazillion things all at once. So I'm answering a question in Australia, I'm answering a question in Europe. So, but I'm paying attention to what you're saying. Because I have acquisitions going on. And security is very important to me. And I love it. So thank you for inviting me. I do have to jump to another call. And that it's lovely meeting all of you.

Richard

Thank you, Luis. I appreciate you. Thank you. Peter, why don't you tell us what your key takeaways are for today?

Peter

I really liked the point about balancing risk and friction. And we'll take that back to my security partners about how we might be able to manage that a little bit better. I also, you know, it's a bit of a reminder as much as a takeaway, that where we do have friction and ask our users to authenticate, explain why, the purposes of the authentication so that they can appreciate the value of doing so.

Richard

All right. Thank you, Peter. Kevin, what are your key takeaways from today's conversation?

Kevin

The biggest takeaway is just the notion that I'll say the right kind of frictions or friction under the right circumstances or in the right places. All right, Jerrold. But seriously, you know, when utilized in a way that is expected, that friction can actually drive trust, and it can drive that retention because it helps increase the perception that we're being good stewards of our customers' data and our customers' privacy? So I think that's probably the number one takeaway for me.

Richard

Brilliant. Thank you, Kevin. Ali, what are your key takeaways for today?

Ali

Yeah, I tend to agree with, you know, the rest of my peers. It's a balancing act between friction and the customer experience. And we never probably going to be able to eliminate friction completely. But there's ways to do it in a way that maybe it's not that painful, right? So like communicating why we have to do MFA, or what are the benefits of certain things, or communicating when a breach occurs, you know, what the ramifications of the breach of are and what the scope of it is?

And I really like Heidi's idea about like gamifying some of this stuff like, "Hey, let's make this a game. Give them a badge if they complete their MFA process." And it's a pretty decent idea. That's definitely a good takeaway, at least for me. And I'm really thankful for that and also being a part of this conversation.

Richard

Brilliant. Thanks, Ali. And Heidi, what are your key takeaways from today's conversation?

Heidi

Yeah, I think what this conversation illustrates is that the stuff is never-ending. And it always has to be top of mind. It changes all the time. So that's number one for me. And I think it's a good reminder. Also, I love this sort of notions around dynamic authentication and adding friction where it makes sense. The context, I think, is so great.

And what a great like reminder of like really knowing our customers to make sure that we're not doing the same thing for everyone. We do it when it's right. We do it when we need to. So I think just as the whole notion around really dynamic authentication, I think is really important.

And then I think also we talked about, like making sure that products are really enabled to give the control to customers. So they can do that with end products without having extra layers of friction of talking to people, I think, making sure that we're developing those digital forms for our customers to go do that themselves. And self-service is awesome. And thank you, yeah, this conversation was really great.

Richard

Thanks, Heidi. Well, it's been great to have you all round the table. And we've been hugely fortunate to have Jing from Beyond Identity to really share with us some of her wisdom. Jing, do you have any final thoughts for the group, any final bits of advice?

Jing

Honestly, this is a really sophisticated group. Because, a lot of times, I still hear like, "Ah, is friction really that important?" Or, "You know, we want to just prevent all of this fraud."

But I think we covered a lot of ground, right, like friction is not the enemy. But be mindful about it. I think celebration moment, explaining the why, even like progressively onboarding users, just a little bit of sugar helps the authentication friction go down, you know. Keeping it simple, you know, by default. But like, I wouldn't be afraid of putting up some risk-based step-up speed bumps that help keep users safe.

And I think there's also a really good point to be made that when you kind of resolve the friction for users, some of the friction for your internal teams, like engineering and support, that might also go down because users aren't having to reset their passwords as often or at all. So there's also a flip side of the coin of improving user experience is enabling more agility for your internal teams to build cool features and move the product, the company forward.

So that is my piece. This was a great conversation, y'all. You're awesome.

Richard

Oh, thanks, Jing. I appreciate that. Francesca, over to you.

Francesca

Thank you. And thank you all again for your time today. We've really appreciated all of your insights. Thank you to Richard for moderating. And again, thank you to Jing for bringing her insights as well.

As promised, I'm just going to quickly spotlight the illustration. This will all be sent to you. But as you can see, it just gives a really nice overview, sort of all the main discussion points. So thank you very much, Raquel, again, for that.

I'm just going to really quickly put up a six-question multiple choice poll. I'd really appreciate it if you all answer it, it's just so we can get some feedback on our session to ensure we can sort of improve going forward. It will only take a moment to complete. And once you've completed that, please feel free to drop off the call. And I hope you'll enjoy the rest of your day.

Rela8 Central Roundtable

Phishing resistance in security solutions has become a necessity. Learn the differences between the solutions and what you need to be phishing resistant.

Listen to the following security and product experts share their insights in the webinar:

  • Jing Gu, Senior Product Marketing Manager at Beyond Identity
  • Kevin Wade, Senior Information Technology Security Manager at Lowe's
  • Richard Malach, Cybersecurity Consultant
  • Jerrold Johnson, Director of Security at Jushi Holdings
  • Luis Ossorio, Director of IT at FROSCH
  • Peter Fisher, Director of Application Product Management at Pearson
  • Linh Calhoun, Chief Marketing Officer at Replacements Ltd
  • Heidi Brown, Director of Product Design at Classy
  • Ali Somani, Director of Software Engineering at RealPage

Transcription

Francesca

So I'd like to introduce you, first of all, to your moderator today, Richard Malach.

Richard

Hello.

Francesca

He will be here to make sure that conversation stays on topic and to make sure that you all get your chance to speak. And, of course, we couldn't have these sessions without our partners. So I'm delighted to introduce our thought leader today, Jing, from Beyond Identity.

Jing

Folks.

Francesca

You'll also see on the screen. You've got a blank box up at the top. And that is our live illustrator, Raquel. So as the session goes on today, she's going to be illustrating in sort of a live time the main takeaway points from today.

So I'll spotlight that at the end for you. And it will also be shared with you after the session. It's all completely anonymized. So if you want to share it across your LinkedIn or anything, please do feel free to do that.

I will be here with my camera off for the next 90 minutes. I'll just be available via the chat function if you need anything at all. So without further ado, I'll hand you over to Richard and I hope you'll enjoy the session.

Richard

Great. Thanks, Francesca. Hey, everybody. How are you all doing today? My name is Richard Malach, and I'll be your moderator. I'll say a little bit about myself.

I've been a cybersecurity consultant for the last 30 years. I've worked in a variety of companies, from great big global enterprises to tiny little startups, in almost every sector you can imagine, from healthcare to government, oil and gas, financial services, gambling and gaming. I'm sure I've missed a few.

I'm currently with an airline at the moment. And we've been spending the last couple of years, while it's been a bit quiet, really fixing all our cyber snafus.

I'm really pleased to have our thought leader, Jing. So why don't you introduce yourself?

Jing

Yeah. Hi, folks. So my name is Jing that's pronounced like "Jingle Bells" without the LE. So, currently, I'm lead product marketing for a passwordless customer authentication product at Beyond Identity.

So I've been pretty involved with the research, build, and go to market for this product. And I'm responsible for basically keeping a pulse on the market with proprietary analysts, third-party research, talking to security engineering products, even marketing roles at various companies.

You know, we're all long-suffering password users, mostly not by choice. And I think the problem is fairly complex. But I'm very passionate about solving this problem because it's a problem that's worth solving, right? Like cybersecurity authentication matters from a security, usability, privacy, as well as a digital accessibility perspective. So, really excited and looking forward to having this discussion with all of you.

Richard

Brilliant. Thanks, Jing. What I want to do, I want to just go round the table. If you can all say who you are, what you do, and really what's top of your mind, what you're really looking to get out today's session. So why don't I start with you, Heidi?

Heidi

Awesome. Hi, I am Heidi Brown. I work for a company called Classy. We help nonprofits connect to donors. So we do fundraising. I am on day three. So I was previously at a company called Remitly that helps immigrants send money abroad, a remittance organization. I lead product design. So all about making beautiful products and making that experience great.

The things that I am interested to learn today, my mind was in somewhere different a couple of weeks ago, and so there's actually a couple things on my mind. One, in a world of B2B2C, what does that mean from someone logging in from that experience? Does the consumer side think they should have the same experience as the on the business side? And if that works across many different companies, how would that customer actually like have this experience in logging in?

I feel like I'm not saying this very succinctly. But I think, generally speaking, when these headlines about the friction that login has with customers, I have actually learned in my history that, sometimes, like in e-commerce standpoint, you don't need that friction. And in other cases, like a remittance organization, you do need that. If you're giving payment information, like, what does that mean? So customers actually have a higher level of expectation from a security standpoint.

So I want to learn. And I'm happy to share. I've worked in many sectors as well, so I'm happy to share some learnings that I've had along the way.

Richard

That's amazing. Thanks, Heidi. Ali, why don't you tell us a bit about yourself? And what's top of your mind?

Ali

Hey, everyone. My name is Ali Somani. I'm here on behalf of, I work for a company called RealPage. And actually, Erik Dahl was supposed to be here, but he couldn't make it tonight, so I attended.

And mostly I'd like to just learn what kind of problems my peers are facing. Maybe if there's something I am facing that's a problem, I'm facing that's similar, I can help or vice versa.

So I don't really have anything specific, a specific agenda in mind. But I will mention that most recently, Erik and I have been working on looking into like zero trust policy and the kinds of changes we'll need to make to adopt that. So that's really a very broad subject, but I just started throwing it out there.

Richard

Brilliant. Thanks, Ali. Kevin, great to see you again. Why don't you introduce yourself and what's top of your mind?

Kevin

Absolutely. Good to see you too, Richard. So my name is Kevin Wade. I am a senior manager in Lowe's Home Improvement working on our cybersecurity risk tools portfolio, which is kind of a broad catch-all portfolio. But in my time, my eight years here at Lowe's, I've been through payments. I've been through identity. I've been through corp, admin, legal. And now, I'm in this spot I'm in, you know, leading a fantastic team.

I think for Lowe's, in general, the biggest concern we have that really dovetails well with this subject is basically looking at the cases of fraud. So customer fraud, hijacked accounts, things along those lines. Online has become such a huge vector for fraud. I think that's probably one of the biggest interests that I have in today's discussion.

Richard

Brilliant. Thanks, Kevin. Linh, if I've pronounced that correctly, why don't you tell us a bit about yourself.

Linh

Yes, I am Linh Calhoun. I am with Replacements, Ltd. And I am listening to everyone introduce themselves. And my perspective will be more specific, perhaps, to the customer experience and hearing more about the technology side related to, how do you better support or what tools there are to support?

We are B2C. And as Kevin just previously mentioned, the fraud component online piece, the security, and how do we continue to think about the authentication we will need to partner with some of the third-party connectors we have to our website over time. So really also probably here more to learn and understand and observe.

Richard

Brilliant. Thanks, Linh. Peter, why don't you tell us a bit about yourself and what's top of your mind?

Peter

Hi, I'm Peter Fisher. I work for an education publisher software company called Pearson. It's a very large company. I head up a group for an online courseware application. And I'm very interested in this topic because we need to balance concerns of data privacy and security against interactivity and ease of use. So interested in how we might improve our offering those with.

Richard

Brilliant. Thanks, Peter. Luis, would you like to introduce yourself?

Luis

Sure. Luis Ossorio. I manage IT and security for a global company called FROSCH. We've got staff in every continent and always interested in everything have to do with security and so love to learn from you guys.

Richard

Great, thanks, Luis. Finally, Jerrold, tell us a bit about yourself and what are you looking to get out of today?

Jerrold

Previously the director of technology and security and surveillance for a company called Jushi Holdings, which is a marijuana company. So the challenges with that, as well as it's an all-CAS industry and trying to get folks to understand about those compliance rules that you have to have to put in place. And, you know, they're kind of freewheeling with it. And it's a challenge to try to get those folks to understand.

So I'm trying to get some more tools and knowledge to understand what it is that I don't know, what it is that I can implement, or what it is that I can take from you guys, what you can learn from me as well.

Richard

Brilliant. Thanks, Jerrold. All right. Well, really great to have you all. Before we get started, just want to remind everybody, it's like even though we're miles and thousands of miles apart, we're having a friendly discussion, friendly round table, everyone's got a thing to say, I'll try and make sure everybody has equal say.

If you've got something to say, either take yourself off mute, raise your virtual hand, drop me a chat, or even do the old...which, surprising enough, I'm actually really good at spotting. So without further ado, let's go to Jing, who's going to set the scene for the day's conversation.

Jing

Yeah, I feel like those intros were really good scene setting. So customer authentication, right, it's the front door to your products. And if we follow that analogy, the front door is supposed to keep the bad guys out and the pests out, but also let the right people in.

It's one of the first interactions that a customer will have with your product, which makes it a high value target for attackers. And where users go, attackers will follow. So as users are moving online, we're seeing just an incredible increase in attacks.

So I think, you know, the stakes for getting it right is very high. But then again, when we say right, there implies that there's a less correct way of doing this.

And, you know, before we even dive into, like, what's the ideal customer experience? Like, that question comes on the heels of, there's something today that is a problem. There's something today that we're all struggling with as consumers and in our professional lives. And, you know, a lot of you have mentioned the friction aspect and usability aspect and balancing that with fraud.

So just given the criticality of the customer experience, let's start from there and just talk through, you know, what frustrates customers about authentication, if that sounds good?

Jerrold

I think the layers, so many layers to kind of get through, right? So I've come from the background of Disney, too. So Disney and their whole authentication process and trying to get through their layers, of the customer getting to the product, right, and so many layers.

Customers want to kind of move around freely is what I've learned through my years at Disney. They just want to move around freely and try and get to the product, get the product, and move away, right? But if we put so many layers that customers are more apt to go to another website, or go somewhere else, or find a product somewhere else.

And somehow, Disney architects has found a way to kind of keep those customers on the page, whether it be, I don't know, some princess dancing across the screen, or whatever it may be. But Disney has found a way to kind of keep those customers alive and thriving, whatever it is that they do.

But I think the biggest thing is so many layers for them to get to what it is that they need. I think that's what any customer, even when you walk into a store, "I don't want so many layers to get to what it is that I'm trying to do."

Richard

Thanks, Jerrold. Heidi.

Heidi

Yeah. I'll add on to what you just said, Jerrold, because I agree with the layers. So when I think about like things that I have learned from customers I have served, so often we do double verification, whether it's MFA, whether it's, you need to provide your email twice, and then you go to your email to verify.

I mean, that's friction right there. Because a customer has to leave the platform that they were just on. And maybe you get them back, and maybe you don't, so that does hurt business.

And then if you don't do that, then we have issues of not keeping the pests out, as you said, Jing. And then we can also have challenges of, let's say, they have their password wrong. Maybe they like, fat fingered their email when they typed it in. So we don't even have their credentials, right? So I feel like there's such tension in what businesses need to do this right and what customers want.

The other thing that I have also seen is that in some scenarios and some businesses, and we have this at Remitly and we do have this at Classy, is that people share accounts. So now what does that mean?

So, you know, and then what if, let's say at Remitly, customers were like five different members in a household were sharing the same account, one person had a different payment method. But those payment methods were attached to the original customer. And so what is attached to that authentication was not necessarily what the customer really wanted.

Richard

Oh, I can see that. Kevin, you're nodding along, what are your thoughts?

Kevin

I think for us being in the home improvement industry, it's an interesting problem that we have in this area, I would think, is we have, not every customer is the same, right? If we look at it, kind of two broad categories, if we break it down a little further.

But for this discussion, I think you can look at your normal average consumer. So do-it-for me or do-it-yourself type consumer who is maybe just going out and buying a refrigerator or an appliance or, you know, some lumber for a backyard project or something along those lines.

Then we have the pro customers. And the pro customers are in a completely different scale and a completely different, you know, "I'm gonna go out and buy 24 washers and dryers at a time" for these vast projects that they have.

And they have very different needs. They have very different wants. At the end of the day, they all want it to be simple and easy for things not to get in their way. But it does make it very challenging because we have two completely different scales of what they want out of their buying experience, you know.

Where your average consumer may be, "My payment details, and my shipping address should match." For the pro, that's not always the case, right? You know, they don't want this massive order to all be delivered to their house or to their place of business. They're gonna want it delivered to the job site. So that suddenly introduces a whole new complication when it comes to any sort of online buying behavior.

Richard

Good. I'm gonna go to Jing, then I'm gonna go to Linh, if I may. Jing.

Jing

Yeah. So, authentication. Like, I hear a lot about, you know, people say, "Oh, visitors come through my website. I see all that traffic. And then I can literally see on the graph where people just drop off a steep cliff because they hit a registration page." And just to put some numbers to that, right, like 67% drops off at account creation, just due to password requirements.

But authentication doesn't stop at registration. It spans the entire customer lifecycle. You know, you have your initial acquisition and registration. You have ongoing engagement at login and retention or recovery. And each of those steps ends up being a friction point for users. And anytime there's friction in the user experience, users typically respond to that by saying, "Oh, I give up" or "I'll try again another day."

I think the reason there's been so much just research around that initial registration piece is, once you lose a customer at a first impression, you might never get them back. If they drop off at login, maybe they'll come back and try to recovery another day.

But if you lose at registration, they might go to a competitor or just kind of give up on the project altogether. So authentication spans the entire lifecycle. It's critical. And anytime there's friction in the experience, people tend to drop off.

At the same time, I don't want to just take friction as public enemy number one, right? I think there's a way that friction can be leveraged, right? So there's a sense in which, like, if you ask me for a two-factor authentication or verification, I expect that from my bank account. The risk levels for that action is different.

So if we can get to a place where authentication can be risk based, right? So risk can look different for different industries, with different customers, like Kevin mentioned, and it can look different for what they're attempting to do.

If I'm just trying to browse an e-commerce website, a lot of e-commerce website will have anonymous browsing. That's totally fine. If I log into my account to make a purchase, there might be guest checkouts, right? And these are the ways that different industries have sort of calibrated to balance friction and usability.

But if I'm trying to go in there and change my account information, get the credit card information, that is a very high-risk action. And if you give me a two-step, that actually makes me feel safer. So I personally don't think friction is public enemy number one. I think when you can get to a place where friction can be strategically leveraged based on risk levels and trust levels within the account, I think that actually is a really good user experience.

And then, the account sharing. But the account sharing piece is also really interesting, right? Account sharing happens all the time. Like, the media companies really struggle with this. I don't even know how many people I have on my Netflix account anymore. Whoops.

Richard: Share prices are tanking because of this.

Jing

Sorry. It's all my fault. But it's an interesting question, right? Because some business models actually do well with an account sharing model. But not having limitations on that is progress and different payment methods attached with different customers, it's also a really interesting question. So I don't have a decisive answer there. But I do think that's a really interesting point to kind of earmark in the conversation.

Richard

Great. Thanks, Jing. Linh, over to you.

Linh

I find this conversation very interesting, because the thing I think about is, I appreciate the reference to leveraging the friction component and to me, what made... This may be very elementary, so please excuse this. But it just makes me wonder, how do you best educate that consumer as to the benefits?

Like it seems like it would be intuitive and understood as to why we are creating these levels of authentication. But sometimes, it's not. And I don't know if it's a demographic and age, which could be me just saying that and/or the user type, how can we think through, because what happens for us is account setup, forget your password, you need to call us, create that friction.

But we can engage with the customer then through conversation, which provides an opportunity, but it is frustrating, and it takes more time. I'm not sure if any of that makes sense. But just thinking through how can we best educate, I guess?

Richard

Yeah. Luis, have you any thoughts? I go to Luis, Peter, then Ali.

Luis

Sure. So risk is something that I'm always looking at. And this conversation brought flashbacks from a prior lifetime. So I always try to use technology to make things friendly to my users. So I turned on SSO very quickly to many of the systems that we use, and all of our users around the world very quickly.

So single sign on is probably the friendliest thing that our population of users will find. And it's probably the thing that will keep frustrations at bay. But risk is something that we all need to analyze. And the human is the weakest link in our security world. So I'm always looking to have more layers of security in my security onion, more, more, more layers. As one gets penetrated, I want to make sure that I have the next one ready to keep our security world.

In an older life, I had to deal with a lot more fraud and risk analysis. And we had additional pieces of information, such as the product code. So when Kevin was talking about his washer and dryer customer, and instead of buying 1, buying 20, so I could be that one customer but I could also be that same customer as an investor that owns a complex with 20 doors or 40 doors, so 120-apartment complexes, and which is a real-life scenario. I happen to be, you know, maybe both.

And so, the product code is something that you can drop in a little bit of extra information into the transaction. So in this prior life, I had to authorize that transaction that came to my host.

So if that information was in there, then I had to deal with, is this a stereo? Or is this a piece of gum that has been bought at a retail store? And what time during the day was this transaction completed? What zip code did this transaction come from?

So there's a lot of information that you can gather. And depending on who the customer is and where it came from, you can extrapolate additional information, associate that with risk. So, security, as you guys can tell, it's something that's very, very interesting to me. And I'm always wanting to learn from you guys, the experts. Thanks.

Richard

Thanks, Luis. Thank you. Peter.

Peter

Hi. Okay. So our products have elements of some of the others' challenges, but our products are usually a supplement to a student's life. And they, while we want them to log in frequently, they don't always. And single sign on goes a long ways. But we also allow them to use our products with both computers as well as mobile devices.

And so a big driver, a big support cost for us is forgot password, even though we have, frankly, really good user flows for resetting passwords and even being able to send them via text, the ability to reset their password. We're not quite there in terms of ease of use, where I think we need to be.

And so, you know, passwordless authentication is interesting. And I understand that, you know, balancing the type of risk with the rigor of the authentication process, I think, we also have additional internal challenges of what authenticated users might be able to do that we need to deal with. But I'm intrigued by the idea of passwordless authentication.

Richard

All right. Thanks, Peter. Ali.

Ali

So, I agree with Peter and Luis when they were talking about SSO. Specifically within my company, we're actually a company of acquisitions. And we've made a lot of acquisitions over the last decade or two. And so, we haven't done, historically, a great job at integrating all of these acquisitions.

So we're a company of companies, and sometimes what it feels like, and so when customers buy multiple products, previously, there was a lot of friction between from one product to another, whether they have to, essentially, re-log in every time. We've since solved that problem with SSO.

And we also support federating with external identity providers. And to give you a background, we sell software to apartment management companies. So they might be a company that buys multiple apartment complexes, and he may need to log in to manage them or do certain kinds of activities based on the product they've bought.

And so one of the things we support is SSO with an existing provider that they already have. So new customers wouldn't necessarily need to have their own username and password for RealPage products. They can just use whatever they're used to. And that kind of leaves the boat in their password, forgetting a password, recovering the password, password complexity, whether or not we need to enforce MFA outside to something that our customers are used to dealing with.

Or if they decide to use our solution for that, that's also fine. But it kind of gives them a little bit more control. So it's all a matter of balancing risk with, you know, the friction that we've been talking about. We allow our customers to kind of decide that, up to a certain extent, we don't want it to be wide open where you can't just not have a password at all either.

Richard

All right. Jing.

Jing

Yeah, I love that part about no passwords. We really want to get rid of friction, let's get rid of the password, but not in the way you imagined.

Richard

So why is it such a dangerous expression, passwordless?

Jing

It really is. It's like, "We'll just get rid of the password." Everyone, come one, come all.

So I want to go back to the point about, you know, like, how do you educate users around this, right? Because engaging with users is really important. And unlike employees, you have no control over the end user of consumer products and services. I think there's three primary ways that I'm seeing companies do this.

One is they're just trying to enable within their product, transparent access and control, right? So that could be a centralized control center for users where they can manage trusted devices, privacy and consent settings, and data sharing permissions, all of those good things. Because transparency and control are kind of the antidote to privacy concerns.

And I think in doing that and having that sort of sell sort of functionality in products actually starts enabling end users to empower themselves around their own digital security and privacy. I think, you know, hand in hand with that... So that's the first way like transferring access and control in user-friendly language accessible within the product.

I think the second thing that goes along with that is habit formation. So, you know, maybe every month, giving them an inept cue that says, "Hey, you haven't checked your trusted devices in quite a while. Like, do you want to take a look?" That they can easily dismiss.

But for, you know, very security-savvy people, you know, that kind of reminder is typically very well received. And for less security-oriented folks, that habit of actually being cued up to kind of check their security posture helps them get in the mindset of, "I have some semblance of control over my identity and security."

And I think the third thing is, as companies and as people who care about this problem, I think, we need to start thinking about how we can start shifting the burden of security from humans to technology. Taking the load off of end users is really important. And it turns out, there are technology out there today that can sort of mitigate some of the risks that comes with passwords and just kind of human errors around there.

We're really prone to phishing, the social engineering schemes work really well. And that means not only can the password be phished. MFA can be phished, right? Notification flooding, they send thousands of notifications to your phone. What do people do? They just click it, and then they're in. And that's a really common attack pattern. Or credential stuffing were previously breached passwords, you know, it happens to all of us, and we reuse passwords.

So how do we start, you know, shifting the burden, right? Personally, I think, you know, our modern devices have come with, you know, local device biometrics that are never transferred over into a cloud. There's proven security protocols like TLS, which secure trillions in transactions daily. And all of our devices have secure enclaves, right? That's the TPM, the hardware part of the device.

There's actually a really interesting lawsuit in the United States where the FBI said to Apple, like, "Hey, like, we need to get it into this criminal's phone." And Apple said, "No, can do. Like, the TPM is what it is, we cannot crack it." So the FBI went to some external firm to try to do that.

The point being, right, there's mechanisms within our devices today that mostly everyone owns that can help organizations move away from authentication with shared secrets and move towards kind of a passwordless world facilitated with local biometrics, asymmetric cryptography.

So to kind of wrap up that thought, right, you want to empower the end users, you want to build these good cybersecurity habits, and sort of in parallel, think about, like, what are the technologies that are available today to really shift the burden from an individual basis, and onto things that have been proven to be secure and work in our current digital infrastructure?

Richard

All right. For me, in the interim, I mean, this is exactly where we want to get to. But for me, in the interim, not having, "Oh, which passwords have got complex passwords, which password stuff to have this extra character, all these characters." And it all seems, sometimes meaningless. Because, really, as we all know, if we have to use passwords, it's length, not complexity, that really... So let's make it easy for everyone.

Anyway, as we move on to our next topic, you know, we really want to understand here how you guys think we can balance friction versus security when evaluating customer authentication solutions, such as MFA? Can I start with you, Kevin?

Kevin

So, I'm actually, I'm gonna go in a slightly different direction real quick. I think this is interesting. And the idea of customer friction is extremely important, you know, obviously.

But to us, there's another component here of the friction equation, and that is internal teams having to track down and deal with potentially hijacked customer accounts trying to protect our customers on their behalf. And that eats a ton of man-hours from teams that don't have a ton of hours to spend, just tracking down these sorts of things.

So one of the things that my team is actually in the process of working on right now is taking because, of course, our customer, you know, credential database is completely separate from our employee database, right? You know, you want those things to be separate. Please. Hopefully.

But if the algorithms that have been set up for the e-commerce site, for the omnichannel site, if it detects some sort of fraudulent activity, rather than sending an alert to a team to do something on behalf of, you know, trying to determine, "Do I lock this account? Do I notify the customer? Like, how do I deal with this?" We're completely taking that part of internal or employee or security operations friction out of the picture, by automating those alerts, sending them to our automation tool that our sock utilizes for any sorts of alerts throughout the entire business.

And that tool is actually going to automatically lock the customer's account and send the customer an email saying, "Hey, we saw something kind of weird. If this was you, you know, don't worry, just click this link to reset your password."

So we're actually looking to automate away some of that internal friction, that, you know, where our internal teams just have these mountains of... Like, our volume is ridiculous. You know, we got close to half a million employees. If you look at the volume that we do, it's insane. There's just isn't enough time in the day to actively chasing down every single alert that we get.

So we're looking to automate some of these things to try and keep our customers safe. Sometimes, despite themselves, you know, for the customers who have, "I use the same password on every single website that I log into." These bad security habits.

But to at least try to keep their information, their payment information, their payment sources, all these sorts of things safe, sometimes, despite themselves. So that's kind of the journey that we're going down right now.

Richard

I can see Luis wanting to say something. And also, I think Jerrold has got something to say. Go on, Luis.

Luis

Yeah, I think that's a pretty bad idea using the same password. So we provide guidance to our population of users. And so, I have my engineers build little, well, I guess, articles, solution, tips and tricks to send. And that's a big no, no. And we automate everything possible.

So when Kevin was talking about having a lot of users, and a lot of requests, and not enough staff, okay, that's all of us. You know, we don't have enough staff. And we don't have enough pennies to go chase every one of those things. But we do have some artificial intelligence, some ML, machine language. And those things are being a little more effective today.

So let's make use of those tools. So those things are being a little more impactful today. And there's these guys up in Bradman that are pushing power automate. Those actually are getting a little friendlier.

So I've spent some time with Microsoft and building some things. And my engineers are doing more things with power automate than power apps. And those are included with the E3, and E1 type of licensing. So I'm doing more of that. And I'm pushing all of my security logs into Sentinel.

So I'm consuming a lot of Microsoft and I give them a lot of money, but I'm getting a little more intel. So my queries out of Sentinel are now producing a little more intelligence. And yeah, but when Kevin said using the same password that part of yours, it's like, okay, we can't fix stupid. But that one, I think we can. Sorry.

Richard

Oh, that's okay. Luis. Jerrold.

Jerrold

Yeah, I definitely agree with Kevin that using the same password is sometimes it's the craziest thing. But I know, at some point, all of us have done it, right? When I have not that understanding that, you know, this is really bad.

And I think also there's a separation when it comes to... Customers want protection, let's not think that they don't want that protection because they absolutely do. But where they want protection is the thing that we need to figure out, right? So there's a separation. There's a separation between my personal information, my credit card information, all of that, my date of birth and all that information, they want protection on that stuff. They absolutely do.

But when it comes to ecommerce and me wanting to just purchase a product, somehow there has to be a separation of the two because they really want to just move around, login, and get their things and move on, right, into the next page. And like, you know, most customers get to that page. And then when they get to authenticate and do something else, they absolutely fall off.

I do it all the time, right? I fall completely off the page, and I find somewhere else to find my product, or either I'll just walk in the store and get it although I don't want to. I want to stay online and purchase it online.

But the separation of the two, between my personal information, credit card information, and all of that information, customers will do all type of authentications to make sure, and they are okay with that. But they will do it simply because, "This is my personal information. I don't want anybody else to have it. So whatever it is that it takes for me to authenticate myself, I'm okay with it."

But when it comes to me buying a pair of socks online, I do not want to go through seven authentications right to try and get a pair of socks. So I think there is some type of separation of the two. So we have to figure out what that fine line is.

Richard

Thanks, Jerrold. So, I'm gonna go to Linh because I thought I saw her flash her hand in the air very briefly. And then we'll go over to Jing. No, Linh? So just go straight to Jing. Okay.

Jing

Yeah. I think a lot of this comes around, you know, the self-remediation aspects of the customer experience. You know, when they can fix their problems themselves, it takes a load off of your support teams and your engineers.

And, you know, like, customer support. I hear a lot of companies just say they spend most of their time dealing with password resets. And that's, you know, part of the reality of the world today. I think when it comes to self-remediation, you can have FAQs that are accessible, you know, automating like I think someone said, I think it Luis who said, you know, engineering contributed FAQs. I think those help articles are really important.

And also, an idea to make those help articles accessible without mandating authentication, right? Like, "If you need to reset your password, here are your steps." If you require that I'm logged in to see your help article about how to reset my password, suddenly, I can't self-remediate that.

I think another really interesting thing to consider is dynamic risk-based policies, right? All applications consume a ton of risk signals and those risk signals, what I hear most frequently is, "I'm a CISO at a company and I'm sitting on a load of risk signals. And there's nothing I can do about them. I can kind of look back at them and see if fraud is happening, if you know there's a security risk here and there." But it's not a preventative thing, right, it's going backwards and retroactively trying to identify risk and dealing with it.

So I think really exciting advancements in risk-based authentication gathers real-time risk signals from the device that is attempting to authenticate. And using those risk signals to kind of informed step-up authentication.

So Impossible Travel is a really good example of this. If I'm logging in from a location that is physically, that I don't see very frequently. For instance, I'm logging in from Turkey. And, you know, the application knows that I'm not in Turkey.

That's an opportunity where you can say, "Hey, like, can you give me your biometrics? Like, I just need to verify that you're actually attempting this." So geolocation can be a really good risk signal for that.

There's another one that's interesting for security verticals, which is jailbroken status. So if your device is jailbroken, it's much more likely to have malware running on it. And, you know, it's inconspicuous, and it's not the user's fault.

But there are companies out there, specifically in the FinTech space, even more specifically in the cryptocurrency space, because people really don't want their crypto accounts to be hacked, who say, "Hey, like, if you're using a jailbroken device, I'm going to need you to give me your biometric verification." Or, "Don't log in from this device, like go to the web app, or until I have a trusted device, you can't gain access to this account."

Like if you're doing Impossible Travel, like logging in from New York, and then two minutes later logging in from Beijing, like, that's impossible. We're gonna block that. Or you can say, "A jailbroken device, if you're really sure, I'm gonna give you a caution sign, you're gonna give me a biometric. So you're making an informed choice."

I think those are all really good ways to kind of inform the user, empower them. And also give them a little bit of a speed bump in the road to say, "Hey, like, are you sure?"

Richard

Good advice, Jing. I'll get to Heidi next, if I can. We're talking about balancing friction and security when evaluating authentication solutions.

Heidi

Yeah. So the one thing I am thinking about right now. Okay. So when it comes to like devices, I feel like there's so much more that we're able to do on our phone. Like, there's so many more things to tap into to really know the user.

What I have also seen is like, for many companies, including the one I'm working for now, a lot of our customers are in desktop. And desktop, I think, there's more challenges at times with desktop. But, actually, I'm not sure if, like, maybe I am naïve to that. And maybe there's been more progress there.

But I think from a desktop-specific standpoint, I've seen more challenges from account takeovers more than mobile because there are... So I'd love to learn from... I don't have any comments other than questions around devices. And specifically, what can companies do on desktop to really make sure that we're letting the right customers in and adding those speed bumps, I like the way you said that, for the customers, that maybe they're not the customer?

Richard

Ali, how do you guys deal with this? Because you cover a whole bunch of companies which you bring together?

Ali

Yeah. I think some of the existing guidance is similar to what we do as well. We have also employee versus customer-type authentication, and the rules and specifications are different for each and they are tunable. Right, so we can change it according to whatever the use case may be.

But specifically, for internal, and I've seen this as well, is we have tools that we leverage. I'm not familiar which tools they are, because I'm not part of the InfoSec team, but that use AI to use location-based information like IP address and your locale and, you know, other mechanism on Reddit, like browser fingerprinting and things of that sort to be able to identify, you know, "This is maybe a device that's in the right place, but I haven't seen it before." Or, "This is the right device, but why is it in New York now when 10 minutes ago, it was, say, in Dallas."

So I think that using data and AI is probably kind of the way to go, maybe going forward. And without necessarily having to increase headcount and doing any kind of manual interactions. And there's a plethora of tools out there that can be leveraged for that.

Richard

Thanks, Ali.

Luis

Let me add a comment to that. The VPNs, depending on where the user is, and my company has users all over the world. And they really do go all over the world. So we do send those messages. "Hey, are you in Paris?" "Yes, we are." "Are you in South Africa?" "Yes, we are."

So depending on where they are, because we see logins... I happen to be in Houston, we see them in that country, and then we see them in Houston because of a VPN software. We might be able to see very two logins in the U.S. and in that country, very close to one another. So it really depends on the that particular user and the software that they have to be using for anonymity or security. So that's the one exception.

But depending on what security client you have, we have like Falcon from CrowdStrike. Then that brings the second piece that will keep you secure. So AI will come back to the rescue and keep you safe.

So there are some ratings that I pay attention to. And that is it the client will give you a little bit of extra information, and Spotlight also tell you, is this a common thing or is it a rare occurrence? And what is the rating of the risk? So those are two of the things that I look at. Thanks.

Richard

All right. Thanks, Luis. If I can maybe go to Peter, and then over to Jing, please.

Peter

I'm thinking about the risk profile and versus our needs. And other than a subset of our users who we don't want to give access to some part of our public offering, the risk is actually kind of low for our users. It's more about, basically, protecting their scores, and the risk of their scores being, you know, hacked and released is much more of a public relations issue for us, versus some student who does poorly on an exam. Nobody really, other than that student and their school really cares.

Part of the risk factor is, if we were to get, you know, hacked or infiltrated, it's more of a public relations issue. And then it comes down to, you know, when that happens, what measures did we take to prevent it? And what's reasonable?

So it's balancing the public relations of a breach, as well as the user. The data that we have about users, which really isn't all that interesting. It's just people love to point out our flaws.

Jing

Yeah, I think the public relations piece is pretty important, right? There was an interesting research from Ponemon Research Institute, I think it was back in 2020, that said, "Publicly-traded companies experience an average stock price decline of 5%, immediately following disclosure of breaches."

And then afterwards, they experienced a lot of issue with like, acquisition, because the longtail of that breach is kind of a loss of trust in the marketplace, which is bad for business. That's the one thing I'll say about that, like, reputation is pretty important, especially when I think every industry has just an incredible amount of competition nowadays.

And the other thing I'll say is, on the mobile versus web experience piece, this is interesting, because I hear this sentiment a lot. Actually, you know, people tell me, mobile experiences are better because we can actually do more device fingerprinting, device identification on mobile. So we put more trust on the app on the phone. Also, because they can verify possession, right? Give me your biometric, your local pin, and I can sort of understand that you own or can access authentication into this phone. So I do hear that a lot.

At the same time. All is not lost on the web front. I think there's two technologies that I think or standards that I think is really interesting on the web. So there is web crypto, and WebAuthn. I think so, both of those allow you to eliminate the password and instead rely on public private key pairing.

The difference is just like why WebAuthn is associated with FIDO. It leverages hardware TPM. Web crypto uses a software TPM, and it runs in the context with the browser. And I think what that allows you to do is, one, you know, you can eliminate the password. Instead of the password, you're using cryptography that can verify the user's identity with much stronger trust.

Also, while there are browser limitations on the web, so you can't do as exact as device fingerprinting as you can maybe on a mobile device. There are some risk signals that you can maybe look at including browser version, operating system, IP address. If it's a known sort of bad actor acting from a known bad IP address, there's a proper term for it, I'm just forgetting it now, VPN enabled status.

So there are some risk signals that you can gather from the browser. It may be less robust. But for a lot of use cases, it is enough to kind of mitigate a huge amount of the risk. And, again, I think FIDO is pretty widely supported as a standard now. So that's one direction to look at, if you're trying to kind of reduce the risk in a sort of desktop web context.

And, you know, if you have a mobile device, and you want to restrict some high-risk actions to adjust a mobile device where you have better control and visibility. There's an argument to be made for, you know, these features, or these capabilities are only accessible on the mobile device, please go and download it from the App Store. So those are those are my thoughts on the conversation so far?

Linh

Can I ask a question? I'm curious. Did you say mobile apps could help provide some level of security? Or you would approach that, the security around an app differently than if you had your website being accessed via mobile?

Jing

So the website being accessed via mobile, so that's the mobile browser. I'm specifically talking about native mobile applications where you can pull some more information about that exact device in the web context on a desktop.

So we go to website, www., whatever. A lot of companies, those web apps are limited by browser limitations. That browser is not necessarily interacting with the device itself. It's kind of an enclosed environment. So that is kind of the way in which you'd have better device identification and finger printing on a native mobile experience versus a web browser experience, because you're necessarily sort of limited by that browser playground, for lack of a better word.

Richard

Sorry. I put my mic on mute while I was pouring myself a glass of water. I didn't want to interrupt the conversation. Right. So we're kind of onto our final topic of discussion, why reducing fraud and account takeover builds long-term customer retention? Perhaps we could start with you, Ali. Well, what are your thoughts from your organization?

Ali

I think it comes down, a little bit. One aspect of it would be what Peter mentioned earlier, and that's the PR aspect of it, right? If you have a breach or you recorded a data breach, or somebody said you had a breach in the public domain, that impacts your ability to retain a certain type of customer, which may be a large group of customers, depending on the product.

But I would just like speak personally, whenever there's some kind of breach for a company that I use, a product that I use. I get a little nervous. I start looking for a competitor, or at least do some kind of analysis and figure out, could this have impacted me or should I be worried? And yeah, so I think the PR aspect of it is pretty critical.

Richard

Thanks, Ali. Kevin, what are your thoughts? Then we'll go to Peter. Sorry, Peter.

Kevin

I completely agree. And being in the retail space, you know, we've seen, you know, the Target breach was pretty big hit for their bottom line for a while. I know they lost market share during that period. It was not good.

And then, the flip side of that are, our main competitor, who shall remain nameless, you know, it seems like they were made out of Teflon when they got hit because I think that news cycle just happened to be focused somewhere else when that occurred. So you're really rolling the dice.

But I think the costs of a breach have just continued to go up and up. You know, and that's brand damage, that's potential liability that you're paying out. I mean, hell, cyber insurance premiums are going up, you know. You're getting hit from multiple angles. And it's just way too big of a risk because if you lose that trust or that confidence that the public places in you as an institution, then that's hard to win back, especially with individuals.

And if you're dealing with a space where your customer base maybe isn't as technical that makes those risks even higher because they just hear breach, and regardless of what the actual facts are it, it can be just a PR nightmare for those who maybe aren't very, you know, deep into the technical aspects of cyber are, which most of the public are. Let's be honest.

Peter

This actually is an acquisition, a customer acquisition topic too, because, you know, we have B2C products, as well as B2B products. And in the B2B products, we are frequently asked by public universities and school districts to answer a pretty lengthy RFP questionnaire, which includes questions about what our security practices are, and how do we authenticate users? And do we follow different standards to do it?

So there is an aspect of, we put things in place so that we can tell our customers, "Yeah, we're the most secure in the market."

Richard

I'll tell you what. Well, let's go to Jerrold, then we'll go to Jing.

Jerrold

Yeah, this part is a real learning aspect to me because, you know, me being in a CAS industry. You know, most of my issues come from, you know, information data. And then, you know, the pharmaceutical, you know, the Virginia State Board of Pharmacy governs what we do. So it is governed by the federal government. So, and it is medicinal here in the state of Virginia.

So the complications of that information getting out is...and then we violate HIPAA laws and all kinds of... It gets so legally complicated when that information from where my perspective is, is trying to get these guys and educate these guys before we get on that platform of cyber and all of that information being released, trying to get them to understand the ramifications of it with the publicity of it.

That gets way out of control from my perspective and me trying to get these guys to understand that this gets way more complicated, especially when we're talking about pharmaceuticals, we're talking about HIPAA, then we're talking about putting some implementations in place for cyber. And we don't have all the protocols around it and trying to get them to understand that, "Listen, this could be a PR nightmare for a cannabis industry who has just gotten started." This industry, right so the cannabis industry is still fairly brand new. Right?

I want to say this without it being so loose. There are no real protocols and laws around cannabis in that way. As you can see, because there are many states that still have them legal, right? But that's because they haven't figured out what the retail the "retail" portion is going to be. And so it gets a little more complicated.

What can we say? That the cyber portion, it gets is so mucky. And they don't quite understand what the ramifications might be. So for me, I'm learning a whole lot of information and understanding what some of this stuff is and is absolutely complicated because you have a lot of people that don't understand.

And, for the most part, we all understand that security takes money away from an organization. It does not bring you any money. So then there's that part, too.

Richard

You know, some security is expensive. Jing.

Jing

Okay. I had a thought. And then Jerrold said his piece. And now, I have more thoughts. So, right, security is seen as a cost center. But you know what? When you do customer authentication right, it drives revenue.

Like just picture, a world is where there's less friction or minimal friction at registration, login, and recovery. Suddenly, your conversion rates are going up. You're acquiring more users. You're engaging more users and you're retaining them. And all of those metrics are metrics that businesses live and die by.

So I think what's really exciting about customer authentication is not just the opportunity to mitigate risk. But to have the opportunity that once you do it right and do it right by your customers and your company, it actually moves the needle forward in terms of revenue.

And that's why I personally think customer authentication is so interesting, compared to, you know, like employee authentication. Employee authentication is also so complicated with, you know, your EDRs, MDRs, and SSOs, and VPOs, and that tech stack. Anyway, so let's... Oh, go ahead.

Jerrold

For the record, I'm gonna use that.

Jing

Yeah. No, take that, and make your argument for why companies need to invest in customer authentication. Like, you want to see your conversion rates come up.

There was one time, I was talking to a quite a large pizza chain in the U.S. And the security folks were really intrigued by, actually, it was an MBP of our product. So at the time, we haven't made our product into SDK form yet, so it wasn't embedded. And they were like, they loved it. Like it's super secure.

And then they bring it to their marketing team. And the marketing says, "Hell, no, you know, you touch my conversion rate by 0.01%. And I'm gonna strike this down." And that was why, you know, for the Secure Customers product, we really took a look at how to improve the user experience. Because once you can do that, you start being able to, like, really generate that revenue.

Okay. Anyway, so on the fraud and retention piece, I think, you know, we're living in a post-Cambridge analytical world, people are less trusting than ever before. Every industry is competitive. And people do business with the brands they trust.

And I think when you put those factors together, solving the fraud piece is not just like a cybersecurity mandate, but it builds better, stronger customer relationships. Like I will do business with companies that I believe are a good stewardesses of my data and privacy. And I think that's because there's so many, you know...it's easy to kind of focus on consumer skepticism.

But on the flip side of that is, if you do security right, and you have proof points around it, like these are the things that our company does, that can be a competitive advantage for your company. Right?

So your consumers are faced with all these options, and there are consumers that would, that more consumers than ever before start factoring in security and privacy into choosing who they want to give their business too.

So, I think more and more, doing customer authentication in a secure way that eliminates fraud and communicating that to the customers ends up giving companies a leg up when they're trying to, you know, get their market share.

Richard

Thanks, Jing. Let's hear from Luis and then Heidi for me.

Luis

So, yeah. I think as you complete the acquisitions, you want to get every one of those employees active and productive and generating revenue. So I think it's important to pay attention to every one of those alerts and warnings and make sure that they feel welcome.

And, you know, you do want to hear from every one of those folks. So I want to make sure that my engineers are being friendly and listening to every one of those new folks and they welcome them. And, you know, we want everybody productive in generating revenue.

So, you know, friction is something that is not welcome. And if we can make a difference and make things a little friendlier for our folks, whether it's all folks or new folks, it's always good.

You know, we don't want customer attrition or employee attrition. You know, we want to keep them happy. I'm having trouble finding more folks. And so, we are trying to hire more and more folks. And we want to keep the good ones.

I've lost some. I'm not gonna keep them in jail, if they find the good gig, you know, more power to them. I still talk to him. I have some really good friends that have left because they found some good stuff. And, you know, again, I'm not going to keep them in jail. But if I find some more good ones, I'm going to bring them over here.

So those are my comments. Thank you for inviting me.

Richard

Well, thanks, Luis. Heidi, what about reducing fraud account take as well, what's also your thoughts on long-term customer retention?

Heidi

Yeah. I'm thinking a little more along the lines of like, sort of KYC things to avoid some of those things. And what I've learned is that I know that it's true that it does cause friction to put all these things in place. What I have actually done at previous companies was actually put in...gamification is like not quite the right word...but it is like you, basically, you put security methods with building value for customers.

So like actually give them something. If they give you something, another great practice is like give them something return. So how can you actually build value? Is there some business thing that you can actually attach to that?

We did this at Remitly. And we also basically put in celebration moments when they unlocked keys to the kingdom. And that actually increased conversion. And like, from a loyalty perspective, customers were staying. And there's been some, like themes that I've heard that I think are really important that I totally agree with from a customer experience perspective.

Like making sure you talk about things that are transparent to the customer and not shock them. Don't speak in ways that, like all of these words we're talking about, the average human has no idea. Like, talk in, like, fifth grade level so they know and understand. And keep it simple. So just reminding us, like, keep it simple. It's really good. Customers do respond to that.

And, yeah, it's like this whole, like, Jing, you kind of said it earlier, too. And I've used those techniques as, basically, you put in, like change the conversation, not that you have to do this, like, "Hey, in order to protect you and your information, this is what we're asking for. And when you do this, this is what we're going to do in return."

And also, whenever a customer is in a bad scenario, I see a lot of companies do this. And it drives me up the wall. So like marketing emails will keep coming because no one's turn those off when there's like a bad breach or something happening. And now the customer is completely like on a different planet. Because now this like bad thing is happening. But you're telling me I need to log in, like you're promoting something.

So actually HelloFresh did an awesome, there was a case study on this. And I love this case study. Basically, if a customer got bad meat, and they had a bad experience, everything was shut down. So communication was shut down. The whole experience of customer log in was to fix the bad meat scenario.

So that like, I've literally used this with my teams, like we're doing the bad meat scenario where like, basically be thoughtful about what the customer needs to do right now and to guide them to fix a problem. And like you will keep their business because you're not distracting them with bells and whistles all over the place. And you're really seeing the customer for what they're going through. So those are some additional thoughts that I've learned along the way.

Richard

Thanks, Heidi. Thank you. We're about a quarter past the hour. So what I want to do next, because we're sort of beaten for time, I know, we could probably carry on talking for a good while longer. It's just go round, and just get everyone's final thoughts or key takeaways. Just one quick thing. I just saw this of interest, actually, while it was what Luis said. On a previous roundtable, we were actually talking about the customer experience.

And there are two real things that really struck me and might be useful in this conversation. The first was that great customer experience looks easy, but it's really difficult to do and it's underpinned by customer identity.

The second thing, actually, is that if you have the great customer experience and the right tools, then it makes your employees a lot happier. Because then they can serve as your customers so much easier as well. And once again, this all starts from that basic foundation of great customer identity and great customer authentication.

And I just thought I'd share those additional thoughts with you guys. So if I can maybe start with you, Jerrold, what are your key takeaways from today's conversation?

Jerrold

My biggest takeaways are just that, right? Just that conversation you just had, you know. Because I come from an industry of customer service and background and retail, right? And so you have to understand, you know, in order to drive customers, you have to have something simplistic. It's just like, you know, hiding the same plain talk, right that plain talk.

In the army, we call it Barney level, right? You speak Barney level to the customers and they understand it a whole lot better, right, instead of speaking in complex terms for which, you know, we all may understand but everybody may not understand.

And, you know, you keep things also what we call simple, dumb, stupid, right? Hate to use those terms, but when you use that terminology, people are more apt to us to understand it a little more and get through things a little easier. You know, as a customer myself, I don't want anything complex for me to happen. So again, going back to what you say, it's exactly what you just said. It's easy to say it harder to implement.

Richard

Thanks, Jerrold. Luis, what are your key takeaways from today's conversation?

Luis

I guess, one of them is that you can't fix stupid. So you just have to keep your eyes and ears open and keep your data feeds. And it's one of the reasons why I like to attend these security invites. If I happen to have a few minutes free, which are not many, I love to visit and hear other opinions.

And I like to stay humble and remind myself that I don't know all the answers. And you guys do. So you guys are connected to all of the real customers. And I want to hear from the folks that are talking to real customers all the time. So I love connecting with real people.

And so I'm an investor. I'm a user. I am everything. So, and I don't have enough pennies. I don't have enough seconds in the day for all the things that I'm supposed to do. And that's why I'm listening to all of you guys. You guys teach me and I'm paying attention.

So you guys see me that I'm doing a gazillion things all at once. So I'm answering a question in Australia, I'm answering a question in Europe. So, but I'm paying attention to what you're saying. Because I have acquisitions going on. And security is very important to me. And I love it. So thank you for inviting me. I do have to jump to another call. And that it's lovely meeting all of you.

Richard

Thank you, Luis. I appreciate you. Thank you. Peter, why don't you tell us what your key takeaways are for today?

Peter

I really liked the point about balancing risk and friction. And we'll take that back to my security partners about how we might be able to manage that a little bit better. I also, you know, it's a bit of a reminder as much as a takeaway, that where we do have friction and ask our users to authenticate, explain why, the purposes of the authentication so that they can appreciate the value of doing so.

Richard

All right. Thank you, Peter. Kevin, what are your key takeaways from today's conversation?

Kevin

The biggest takeaway is just the notion that I'll say the right kind of frictions or friction under the right circumstances or in the right places. All right, Jerrold. But seriously, you know, when utilized in a way that is expected, that friction can actually drive trust, and it can drive that retention because it helps increase the perception that we're being good stewards of our customers' data and our customers' privacy? So I think that's probably the number one takeaway for me.

Richard

Brilliant. Thank you, Kevin. Ali, what are your key takeaways for today?

Ali

Yeah, I tend to agree with, you know, the rest of my peers. It's a balancing act between friction and the customer experience. And we never probably going to be able to eliminate friction completely. But there's ways to do it in a way that maybe it's not that painful, right? So like communicating why we have to do MFA, or what are the benefits of certain things, or communicating when a breach occurs, you know, what the ramifications of the breach of are and what the scope of it is?

And I really like Heidi's idea about like gamifying some of this stuff like, "Hey, let's make this a game. Give them a badge if they complete their MFA process." And it's a pretty decent idea. That's definitely a good takeaway, at least for me. And I'm really thankful for that and also being a part of this conversation.

Richard

Brilliant. Thanks, Ali. And Heidi, what are your key takeaways from today's conversation?

Heidi

Yeah, I think what this conversation illustrates is that the stuff is never-ending. And it always has to be top of mind. It changes all the time. So that's number one for me. And I think it's a good reminder. Also, I love this sort of notions around dynamic authentication and adding friction where it makes sense. The context, I think, is so great.

And what a great like reminder of like really knowing our customers to make sure that we're not doing the same thing for everyone. We do it when it's right. We do it when we need to. So I think just as the whole notion around really dynamic authentication, I think is really important.

And then I think also we talked about, like making sure that products are really enabled to give the control to customers. So they can do that with end products without having extra layers of friction of talking to people, I think, making sure that we're developing those digital forms for our customers to go do that themselves. And self-service is awesome. And thank you, yeah, this conversation was really great.

Richard

Thanks, Heidi. Well, it's been great to have you all round the table. And we've been hugely fortunate to have Jing from Beyond Identity to really share with us some of her wisdom. Jing, do you have any final thoughts for the group, any final bits of advice?

Jing

Honestly, this is a really sophisticated group. Because, a lot of times, I still hear like, "Ah, is friction really that important?" Or, "You know, we want to just prevent all of this fraud."

But I think we covered a lot of ground, right, like friction is not the enemy. But be mindful about it. I think celebration moment, explaining the why, even like progressively onboarding users, just a little bit of sugar helps the authentication friction go down, you know. Keeping it simple, you know, by default. But like, I wouldn't be afraid of putting up some risk-based step-up speed bumps that help keep users safe.

And I think there's also a really good point to be made that when you kind of resolve the friction for users, some of the friction for your internal teams, like engineering and support, that might also go down because users aren't having to reset their passwords as often or at all. So there's also a flip side of the coin of improving user experience is enabling more agility for your internal teams to build cool features and move the product, the company forward.

So that is my piece. This was a great conversation, y'all. You're awesome.

Richard

Oh, thanks, Jing. I appreciate that. Francesca, over to you.

Francesca

Thank you. And thank you all again for your time today. We've really appreciated all of your insights. Thank you to Richard for moderating. And again, thank you to Jing for bringing her insights as well.

As promised, I'm just going to quickly spotlight the illustration. This will all be sent to you. But as you can see, it just gives a really nice overview, sort of all the main discussion points. So thank you very much, Raquel, again, for that.

I'm just going to really quickly put up a six-question multiple choice poll. I'd really appreciate it if you all answer it, it's just so we can get some feedback on our session to ensure we can sort of improve going forward. It will only take a moment to complete. And once you've completed that, please feel free to drop off the call. And I hope you'll enjoy the rest of your day.

Rela8 Central Roundtable

Phishing resistance in security solutions has become a necessity. Learn the differences between the solutions and what you need to be phishing resistant.

Listen to the following security and product experts share their insights in the webinar:

  • Jing Gu, Senior Product Marketing Manager at Beyond Identity
  • Kevin Wade, Senior Information Technology Security Manager at Lowe's
  • Richard Malach, Cybersecurity Consultant
  • Jerrold Johnson, Director of Security at Jushi Holdings
  • Luis Ossorio, Director of IT at FROSCH
  • Peter Fisher, Director of Application Product Management at Pearson
  • Linh Calhoun, Chief Marketing Officer at Replacements Ltd
  • Heidi Brown, Director of Product Design at Classy
  • Ali Somani, Director of Software Engineering at RealPage

Transcription

Francesca

So I'd like to introduce you, first of all, to your moderator today, Richard Malach.

Richard

Hello.

Francesca

He will be here to make sure that conversation stays on topic and to make sure that you all get your chance to speak. And, of course, we couldn't have these sessions without our partners. So I'm delighted to introduce our thought leader today, Jing, from Beyond Identity.

Jing

Folks.

Francesca

You'll also see on the screen. You've got a blank box up at the top. And that is our live illustrator, Raquel. So as the session goes on today, she's going to be illustrating in sort of a live time the main takeaway points from today.

So I'll spotlight that at the end for you. And it will also be shared with you after the session. It's all completely anonymized. So if you want to share it across your LinkedIn or anything, please do feel free to do that.

I will be here with my camera off for the next 90 minutes. I'll just be available via the chat function if you need anything at all. So without further ado, I'll hand you over to Richard and I hope you'll enjoy the session.

Richard

Great. Thanks, Francesca. Hey, everybody. How are you all doing today? My name is Richard Malach, and I'll be your moderator. I'll say a little bit about myself.

I've been a cybersecurity consultant for the last 30 years. I've worked in a variety of companies, from great big global enterprises to tiny little startups, in almost every sector you can imagine, from healthcare to government, oil and gas, financial services, gambling and gaming. I'm sure I've missed a few.

I'm currently with an airline at the moment. And we've been spending the last couple of years, while it's been a bit quiet, really fixing all our cyber snafus.

I'm really pleased to have our thought leader, Jing. So why don't you introduce yourself?

Jing

Yeah. Hi, folks. So my name is Jing that's pronounced like "Jingle Bells" without the LE. So, currently, I'm lead product marketing for a passwordless customer authentication product at Beyond Identity.

So I've been pretty involved with the research, build, and go to market for this product. And I'm responsible for basically keeping a pulse on the market with proprietary analysts, third-party research, talking to security engineering products, even marketing roles at various companies.

You know, we're all long-suffering password users, mostly not by choice. And I think the problem is fairly complex. But I'm very passionate about solving this problem because it's a problem that's worth solving, right? Like cybersecurity authentication matters from a security, usability, privacy, as well as a digital accessibility perspective. So, really excited and looking forward to having this discussion with all of you.

Richard

Brilliant. Thanks, Jing. What I want to do, I want to just go round the table. If you can all say who you are, what you do, and really what's top of your mind, what you're really looking to get out today's session. So why don't I start with you, Heidi?

Heidi

Awesome. Hi, I am Heidi Brown. I work for a company called Classy. We help nonprofits connect to donors. So we do fundraising. I am on day three. So I was previously at a company called Remitly that helps immigrants send money abroad, a remittance organization. I lead product design. So all about making beautiful products and making that experience great.

The things that I am interested to learn today, my mind was in somewhere different a couple of weeks ago, and so there's actually a couple things on my mind. One, in a world of B2B2C, what does that mean from someone logging in from that experience? Does the consumer side think they should have the same experience as the on the business side? And if that works across many different companies, how would that customer actually like have this experience in logging in?

I feel like I'm not saying this very succinctly. But I think, generally speaking, when these headlines about the friction that login has with customers, I have actually learned in my history that, sometimes, like in e-commerce standpoint, you don't need that friction. And in other cases, like a remittance organization, you do need that. If you're giving payment information, like, what does that mean? So customers actually have a higher level of expectation from a security standpoint.

So I want to learn. And I'm happy to share. I've worked in many sectors as well, so I'm happy to share some learnings that I've had along the way.

Richard

That's amazing. Thanks, Heidi. Ali, why don't you tell us a bit about yourself? And what's top of your mind?

Ali

Hey, everyone. My name is Ali Somani. I'm here on behalf of, I work for a company called RealPage. And actually, Erik Dahl was supposed to be here, but he couldn't make it tonight, so I attended.

And mostly I'd like to just learn what kind of problems my peers are facing. Maybe if there's something I am facing that's a problem, I'm facing that's similar, I can help or vice versa.

So I don't really have anything specific, a specific agenda in mind. But I will mention that most recently, Erik and I have been working on looking into like zero trust policy and the kinds of changes we'll need to make to adopt that. So that's really a very broad subject, but I just started throwing it out there.

Richard

Brilliant. Thanks, Ali. Kevin, great to see you again. Why don't you introduce yourself and what's top of your mind?

Kevin

Absolutely. Good to see you too, Richard. So my name is Kevin Wade. I am a senior manager in Lowe's Home Improvement working on our cybersecurity risk tools portfolio, which is kind of a broad catch-all portfolio. But in my time, my eight years here at Lowe's, I've been through payments. I've been through identity. I've been through corp, admin, legal. And now, I'm in this spot I'm in, you know, leading a fantastic team.

I think for Lowe's, in general, the biggest concern we have that really dovetails well with this subject is basically looking at the cases of fraud. So customer fraud, hijacked accounts, things along those lines. Online has become such a huge vector for fraud. I think that's probably one of the biggest interests that I have in today's discussion.

Richard

Brilliant. Thanks, Kevin. Linh, if I've pronounced that correctly, why don't you tell us a bit about yourself.

Linh

Yes, I am Linh Calhoun. I am with Replacements, Ltd. And I am listening to everyone introduce themselves. And my perspective will be more specific, perhaps, to the customer experience and hearing more about the technology side related to, how do you better support or what tools there are to support?

We are B2C. And as Kevin just previously mentioned, the fraud component online piece, the security, and how do we continue to think about the authentication we will need to partner with some of the third-party connectors we have to our website over time. So really also probably here more to learn and understand and observe.

Richard

Brilliant. Thanks, Linh. Peter, why don't you tell us a bit about yourself and what's top of your mind?

Peter

Hi, I'm Peter Fisher. I work for an education publisher software company called Pearson. It's a very large company. I head up a group for an online courseware application. And I'm very interested in this topic because we need to balance concerns of data privacy and security against interactivity and ease of use. So interested in how we might improve our offering those with.

Richard

Brilliant. Thanks, Peter. Luis, would you like to introduce yourself?

Luis

Sure. Luis Ossorio. I manage IT and security for a global company called FROSCH. We've got staff in every continent and always interested in everything have to do with security and so love to learn from you guys.

Richard

Great, thanks, Luis. Finally, Jerrold, tell us a bit about yourself and what are you looking to get out of today?

Jerrold

Previously the director of technology and security and surveillance for a company called Jushi Holdings, which is a marijuana company. So the challenges with that, as well as it's an all-CAS industry and trying to get folks to understand about those compliance rules that you have to have to put in place. And, you know, they're kind of freewheeling with it. And it's a challenge to try to get those folks to understand.

So I'm trying to get some more tools and knowledge to understand what it is that I don't know, what it is that I can implement, or what it is that I can take from you guys, what you can learn from me as well.

Richard

Brilliant. Thanks, Jerrold. All right. Well, really great to have you all. Before we get started, just want to remind everybody, it's like even though we're miles and thousands of miles apart, we're having a friendly discussion, friendly round table, everyone's got a thing to say, I'll try and make sure everybody has equal say.

If you've got something to say, either take yourself off mute, raise your virtual hand, drop me a chat, or even do the old...which, surprising enough, I'm actually really good at spotting. So without further ado, let's go to Jing, who's going to set the scene for the day's conversation.

Jing

Yeah, I feel like those intros were really good scene setting. So customer authentication, right, it's the front door to your products. And if we follow that analogy, the front door is supposed to keep the bad guys out and the pests out, but also let the right people in.

It's one of the first interactions that a customer will have with your product, which makes it a high value target for attackers. And where users go, attackers will follow. So as users are moving online, we're seeing just an incredible increase in attacks.

So I think, you know, the stakes for getting it right is very high. But then again, when we say right, there implies that there's a less correct way of doing this.

And, you know, before we even dive into, like, what's the ideal customer experience? Like, that question comes on the heels of, there's something today that is a problem. There's something today that we're all struggling with as consumers and in our professional lives. And, you know, a lot of you have mentioned the friction aspect and usability aspect and balancing that with fraud.

So just given the criticality of the customer experience, let's start from there and just talk through, you know, what frustrates customers about authentication, if that sounds good?

Jerrold

I think the layers, so many layers to kind of get through, right? So I've come from the background of Disney, too. So Disney and their whole authentication process and trying to get through their layers, of the customer getting to the product, right, and so many layers.

Customers want to kind of move around freely is what I've learned through my years at Disney. They just want to move around freely and try and get to the product, get the product, and move away, right? But if we put so many layers that customers are more apt to go to another website, or go somewhere else, or find a product somewhere else.

And somehow, Disney architects has found a way to kind of keep those customers on the page, whether it be, I don't know, some princess dancing across the screen, or whatever it may be. But Disney has found a way to kind of keep those customers alive and thriving, whatever it is that they do.

But I think the biggest thing is so many layers for them to get to what it is that they need. I think that's what any customer, even when you walk into a store, "I don't want so many layers to get to what it is that I'm trying to do."

Richard

Thanks, Jerrold. Heidi.

Heidi

Yeah. I'll add on to what you just said, Jerrold, because I agree with the layers. So when I think about like things that I have learned from customers I have served, so often we do double verification, whether it's MFA, whether it's, you need to provide your email twice, and then you go to your email to verify.

I mean, that's friction right there. Because a customer has to leave the platform that they were just on. And maybe you get them back, and maybe you don't, so that does hurt business.

And then if you don't do that, then we have issues of not keeping the pests out, as you said, Jing. And then we can also have challenges of, let's say, they have their password wrong. Maybe they like, fat fingered their email when they typed it in. So we don't even have their credentials, right? So I feel like there's such tension in what businesses need to do this right and what customers want.

The other thing that I have also seen is that in some scenarios and some businesses, and we have this at Remitly and we do have this at Classy, is that people share accounts. So now what does that mean?

So, you know, and then what if, let's say at Remitly, customers were like five different members in a household were sharing the same account, one person had a different payment method. But those payment methods were attached to the original customer. And so what is attached to that authentication was not necessarily what the customer really wanted.

Richard

Oh, I can see that. Kevin, you're nodding along, what are your thoughts?

Kevin

I think for us being in the home improvement industry, it's an interesting problem that we have in this area, I would think, is we have, not every customer is the same, right? If we look at it, kind of two broad categories, if we break it down a little further.

But for this discussion, I think you can look at your normal average consumer. So do-it-for me or do-it-yourself type consumer who is maybe just going out and buying a refrigerator or an appliance or, you know, some lumber for a backyard project or something along those lines.

Then we have the pro customers. And the pro customers are in a completely different scale and a completely different, you know, "I'm gonna go out and buy 24 washers and dryers at a time" for these vast projects that they have.

And they have very different needs. They have very different wants. At the end of the day, they all want it to be simple and easy for things not to get in their way. But it does make it very challenging because we have two completely different scales of what they want out of their buying experience, you know.

Where your average consumer may be, "My payment details, and my shipping address should match." For the pro, that's not always the case, right? You know, they don't want this massive order to all be delivered to their house or to their place of business. They're gonna want it delivered to the job site. So that suddenly introduces a whole new complication when it comes to any sort of online buying behavior.

Richard

Good. I'm gonna go to Jing, then I'm gonna go to Linh, if I may. Jing.

Jing

Yeah. So, authentication. Like, I hear a lot about, you know, people say, "Oh, visitors come through my website. I see all that traffic. And then I can literally see on the graph where people just drop off a steep cliff because they hit a registration page." And just to put some numbers to that, right, like 67% drops off at account creation, just due to password requirements.

But authentication doesn't stop at registration. It spans the entire customer lifecycle. You know, you have your initial acquisition and registration. You have ongoing engagement at login and retention or recovery. And each of those steps ends up being a friction point for users. And anytime there's friction in the user experience, users typically respond to that by saying, "Oh, I give up" or "I'll try again another day."

I think the reason there's been so much just research around that initial registration piece is, once you lose a customer at a first impression, you might never get them back. If they drop off at login, maybe they'll come back and try to recovery another day.

But if you lose at registration, they might go to a competitor or just kind of give up on the project altogether. So authentication spans the entire lifecycle. It's critical. And anytime there's friction in the experience, people tend to drop off.

At the same time, I don't want to just take friction as public enemy number one, right? I think there's a way that friction can be leveraged, right? So there's a sense in which, like, if you ask me for a two-factor authentication or verification, I expect that from my bank account. The risk levels for that action is different.

So if we can get to a place where authentication can be risk based, right? So risk can look different for different industries, with different customers, like Kevin mentioned, and it can look different for what they're attempting to do.

If I'm just trying to browse an e-commerce website, a lot of e-commerce website will have anonymous browsing. That's totally fine. If I log into my account to make a purchase, there might be guest checkouts, right? And these are the ways that different industries have sort of calibrated to balance friction and usability.

But if I'm trying to go in there and change my account information, get the credit card information, that is a very high-risk action. And if you give me a two-step, that actually makes me feel safer. So I personally don't think friction is public enemy number one. I think when you can get to a place where friction can be strategically leveraged based on risk levels and trust levels within the account, I think that actually is a really good user experience.

And then, the account sharing. But the account sharing piece is also really interesting, right? Account sharing happens all the time. Like, the media companies really struggle with this. I don't even know how many people I have on my Netflix account anymore. Whoops.

Richard: Share prices are tanking because of this.

Jing

Sorry. It's all my fault. But it's an interesting question, right? Because some business models actually do well with an account sharing model. But not having limitations on that is progress and different payment methods attached with different customers, it's also a really interesting question. So I don't have a decisive answer there. But I do think that's a really interesting point to kind of earmark in the conversation.

Richard

Great. Thanks, Jing. Linh, over to you.

Linh

I find this conversation very interesting, because the thing I think about is, I appreciate the reference to leveraging the friction component and to me, what made... This may be very elementary, so please excuse this. But it just makes me wonder, how do you best educate that consumer as to the benefits?

Like it seems like it would be intuitive and understood as to why we are creating these levels of authentication. But sometimes, it's not. And I don't know if it's a demographic and age, which could be me just saying that and/or the user type, how can we think through, because what happens for us is account setup, forget your password, you need to call us, create that friction.

But we can engage with the customer then through conversation, which provides an opportunity, but it is frustrating, and it takes more time. I'm not sure if any of that makes sense. But just thinking through how can we best educate, I guess?

Richard

Yeah. Luis, have you any thoughts? I go to Luis, Peter, then Ali.

Luis

Sure. So risk is something that I'm always looking at. And this conversation brought flashbacks from a prior lifetime. So I always try to use technology to make things friendly to my users. So I turned on SSO very quickly to many of the systems that we use, and all of our users around the world very quickly.

So single sign on is probably the friendliest thing that our population of users will find. And it's probably the thing that will keep frustrations at bay. But risk is something that we all need to analyze. And the human is the weakest link in our security world. So I'm always looking to have more layers of security in my security onion, more, more, more layers. As one gets penetrated, I want to make sure that I have the next one ready to keep our security world.

In an older life, I had to deal with a lot more fraud and risk analysis. And we had additional pieces of information, such as the product code. So when Kevin was talking about his washer and dryer customer, and instead of buying 1, buying 20, so I could be that one customer but I could also be that same customer as an investor that owns a complex with 20 doors or 40 doors, so 120-apartment complexes, and which is a real-life scenario. I happen to be, you know, maybe both.

And so, the product code is something that you can drop in a little bit of extra information into the transaction. So in this prior life, I had to authorize that transaction that came to my host.

So if that information was in there, then I had to deal with, is this a stereo? Or is this a piece of gum that has been bought at a retail store? And what time during the day was this transaction completed? What zip code did this transaction come from?

So there's a lot of information that you can gather. And depending on who the customer is and where it came from, you can extrapolate additional information, associate that with risk. So, security, as you guys can tell, it's something that's very, very interesting to me. And I'm always wanting to learn from you guys, the experts. Thanks.

Richard

Thanks, Luis. Thank you. Peter.

Peter

Hi. Okay. So our products have elements of some of the others' challenges, but our products are usually a supplement to a student's life. And they, while we want them to log in frequently, they don't always. And single sign on goes a long ways. But we also allow them to use our products with both computers as well as mobile devices.

And so a big driver, a big support cost for us is forgot password, even though we have, frankly, really good user flows for resetting passwords and even being able to send them via text, the ability to reset their password. We're not quite there in terms of ease of use, where I think we need to be.

And so, you know, passwordless authentication is interesting. And I understand that, you know, balancing the type of risk with the rigor of the authentication process, I think, we also have additional internal challenges of what authenticated users might be able to do that we need to deal with. But I'm intrigued by the idea of passwordless authentication.

Richard

All right. Thanks, Peter. Ali.

Ali

So, I agree with Peter and Luis when they were talking about SSO. Specifically within my company, we're actually a company of acquisitions. And we've made a lot of acquisitions over the last decade or two. And so, we haven't done, historically, a great job at integrating all of these acquisitions.

So we're a company of companies, and sometimes what it feels like, and so when customers buy multiple products, previously, there was a lot of friction between from one product to another, whether they have to, essentially, re-log in every time. We've since solved that problem with SSO.

And we also support federating with external identity providers. And to give you a background, we sell software to apartment management companies. So they might be a company that buys multiple apartment complexes, and he may need to log in to manage them or do certain kinds of activities based on the product they've bought.

And so one of the things we support is SSO with an existing provider that they already have. So new customers wouldn't necessarily need to have their own username and password for RealPage products. They can just use whatever they're used to. And that kind of leaves the boat in their password, forgetting a password, recovering the password, password complexity, whether or not we need to enforce MFA outside to something that our customers are used to dealing with.

Or if they decide to use our solution for that, that's also fine. But it kind of gives them a little bit more control. So it's all a matter of balancing risk with, you know, the friction that we've been talking about. We allow our customers to kind of decide that, up to a certain extent, we don't want it to be wide open where you can't just not have a password at all either.

Richard

All right. Jing.

Jing

Yeah, I love that part about no passwords. We really want to get rid of friction, let's get rid of the password, but not in the way you imagined.

Richard

So why is it such a dangerous expression, passwordless?

Jing

It really is. It's like, "We'll just get rid of the password." Everyone, come one, come all.

So I want to go back to the point about, you know, like, how do you educate users around this, right? Because engaging with users is really important. And unlike employees, you have no control over the end user of consumer products and services. I think there's three primary ways that I'm seeing companies do this.

One is they're just trying to enable within their product, transparent access and control, right? So that could be a centralized control center for users where they can manage trusted devices, privacy and consent settings, and data sharing permissions, all of those good things. Because transparency and control are kind of the antidote to privacy concerns.

And I think in doing that and having that sort of sell sort of functionality in products actually starts enabling end users to empower themselves around their own digital security and privacy. I think, you know, hand in hand with that... So that's the first way like transferring access and control in user-friendly language accessible within the product.

I think the second thing that goes along with that is habit formation. So, you know, maybe every month, giving them an inept cue that says, "Hey, you haven't checked your trusted devices in quite a while. Like, do you want to take a look?" That they can easily dismiss.

But for, you know, very security-savvy people, you know, that kind of reminder is typically very well received. And for less security-oriented folks, that habit of actually being cued up to kind of check their security posture helps them get in the mindset of, "I have some semblance of control over my identity and security."

And I think the third thing is, as companies and as people who care about this problem, I think, we need to start thinking about how we can start shifting the burden of security from humans to technology. Taking the load off of end users is really important. And it turns out, there are technology out there today that can sort of mitigate some of the risks that comes with passwords and just kind of human errors around there.

We're really prone to phishing, the social engineering schemes work really well. And that means not only can the password be phished. MFA can be phished, right? Notification flooding, they send thousands of notifications to your phone. What do people do? They just click it, and then they're in. And that's a really common attack pattern. Or credential stuffing were previously breached passwords, you know, it happens to all of us, and we reuse passwords.

So how do we start, you know, shifting the burden, right? Personally, I think, you know, our modern devices have come with, you know, local device biometrics that are never transferred over into a cloud. There's proven security protocols like TLS, which secure trillions in transactions daily. And all of our devices have secure enclaves, right? That's the TPM, the hardware part of the device.

There's actually a really interesting lawsuit in the United States where the FBI said to Apple, like, "Hey, like, we need to get it into this criminal's phone." And Apple said, "No, can do. Like, the TPM is what it is, we cannot crack it." So the FBI went to some external firm to try to do that.

The point being, right, there's mechanisms within our devices today that mostly everyone owns that can help organizations move away from authentication with shared secrets and move towards kind of a passwordless world facilitated with local biometrics, asymmetric cryptography.

So to kind of wrap up that thought, right, you want to empower the end users, you want to build these good cybersecurity habits, and sort of in parallel, think about, like, what are the technologies that are available today to really shift the burden from an individual basis, and onto things that have been proven to be secure and work in our current digital infrastructure?

Richard

All right. For me, in the interim, I mean, this is exactly where we want to get to. But for me, in the interim, not having, "Oh, which passwords have got complex passwords, which password stuff to have this extra character, all these characters." And it all seems, sometimes meaningless. Because, really, as we all know, if we have to use passwords, it's length, not complexity, that really... So let's make it easy for everyone.

Anyway, as we move on to our next topic, you know, we really want to understand here how you guys think we can balance friction versus security when evaluating customer authentication solutions, such as MFA? Can I start with you, Kevin?

Kevin

So, I'm actually, I'm gonna go in a slightly different direction real quick. I think this is interesting. And the idea of customer friction is extremely important, you know, obviously.

But to us, there's another component here of the friction equation, and that is internal teams having to track down and deal with potentially hijacked customer accounts trying to protect our customers on their behalf. And that eats a ton of man-hours from teams that don't have a ton of hours to spend, just tracking down these sorts of things.

So one of the things that my team is actually in the process of working on right now is taking because, of course, our customer, you know, credential database is completely separate from our employee database, right? You know, you want those things to be separate. Please. Hopefully.

But if the algorithms that have been set up for the e-commerce site, for the omnichannel site, if it detects some sort of fraudulent activity, rather than sending an alert to a team to do something on behalf of, you know, trying to determine, "Do I lock this account? Do I notify the customer? Like, how do I deal with this?" We're completely taking that part of internal or employee or security operations friction out of the picture, by automating those alerts, sending them to our automation tool that our sock utilizes for any sorts of alerts throughout the entire business.

And that tool is actually going to automatically lock the customer's account and send the customer an email saying, "Hey, we saw something kind of weird. If this was you, you know, don't worry, just click this link to reset your password."

So we're actually looking to automate away some of that internal friction, that, you know, where our internal teams just have these mountains of... Like, our volume is ridiculous. You know, we got close to half a million employees. If you look at the volume that we do, it's insane. There's just isn't enough time in the day to actively chasing down every single alert that we get.

So we're looking to automate some of these things to try and keep our customers safe. Sometimes, despite themselves, you know, for the customers who have, "I use the same password on every single website that I log into." These bad security habits.

But to at least try to keep their information, their payment information, their payment sources, all these sorts of things safe, sometimes, despite themselves. So that's kind of the journey that we're going down right now.

Richard

I can see Luis wanting to say something. And also, I think Jerrold has got something to say. Go on, Luis.

Luis

Yeah, I think that's a pretty bad idea using the same password. So we provide guidance to our population of users. And so, I have my engineers build little, well, I guess, articles, solution, tips and tricks to send. And that's a big no, no. And we automate everything possible.

So when Kevin was talking about having a lot of users, and a lot of requests, and not enough staff, okay, that's all of us. You know, we don't have enough staff. And we don't have enough pennies to go chase every one of those things. But we do have some artificial intelligence, some ML, machine language. And those things are being a little more effective today.

So let's make use of those tools. So those things are being a little more impactful today. And there's these guys up in Bradman that are pushing power automate. Those actually are getting a little friendlier.

So I've spent some time with Microsoft and building some things. And my engineers are doing more things with power automate than power apps. And those are included with the E3, and E1 type of licensing. So I'm doing more of that. And I'm pushing all of my security logs into Sentinel.

So I'm consuming a lot of Microsoft and I give them a lot of money, but I'm getting a little more intel. So my queries out of Sentinel are now producing a little more intelligence. And yeah, but when Kevin said using the same password that part of yours, it's like, okay, we can't fix stupid. But that one, I think we can. Sorry.

Richard

Oh, that's okay. Luis. Jerrold.

Jerrold

Yeah, I definitely agree with Kevin that using the same password is sometimes it's the craziest thing. But I know, at some point, all of us have done it, right? When I have not that understanding that, you know, this is really bad.

And I think also there's a separation when it comes to... Customers want protection, let's not think that they don't want that protection because they absolutely do. But where they want protection is the thing that we need to figure out, right? So there's a separation. There's a separation between my personal information, my credit card information, all of that, my date of birth and all that information, they want protection on that stuff. They absolutely do.

But when it comes to ecommerce and me wanting to just purchase a product, somehow there has to be a separation of the two because they really want to just move around, login, and get their things and move on, right, into the next page. And like, you know, most customers get to that page. And then when they get to authenticate and do something else, they absolutely fall off.

I do it all the time, right? I fall completely off the page, and I find somewhere else to find my product, or either I'll just walk in the store and get it although I don't want to. I want to stay online and purchase it online.

But the separation of the two, between my personal information, credit card information, and all of that information, customers will do all type of authentications to make sure, and they are okay with that. But they will do it simply because, "This is my personal information. I don't want anybody else to have it. So whatever it is that it takes for me to authenticate myself, I'm okay with it."

But when it comes to me buying a pair of socks online, I do not want to go through seven authentications right to try and get a pair of socks. So I think there is some type of separation of the two. So we have to figure out what that fine line is.

Richard

Thanks, Jerrold. So, I'm gonna go to Linh because I thought I saw her flash her hand in the air very briefly. And then we'll go over to Jing. No, Linh? So just go straight to Jing. Okay.

Jing

Yeah. I think a lot of this comes around, you know, the self-remediation aspects of the customer experience. You know, when they can fix their problems themselves, it takes a load off of your support teams and your engineers.

And, you know, like, customer support. I hear a lot of companies just say they spend most of their time dealing with password resets. And that's, you know, part of the reality of the world today. I think when it comes to self-remediation, you can have FAQs that are accessible, you know, automating like I think someone said, I think it Luis who said, you know, engineering contributed FAQs. I think those help articles are really important.

And also, an idea to make those help articles accessible without mandating authentication, right? Like, "If you need to reset your password, here are your steps." If you require that I'm logged in to see your help article about how to reset my password, suddenly, I can't self-remediate that.

I think another really interesting thing to consider is dynamic risk-based policies, right? All applications consume a ton of risk signals and those risk signals, what I hear most frequently is, "I'm a CISO at a company and I'm sitting on a load of risk signals. And there's nothing I can do about them. I can kind of look back at them and see if fraud is happening, if you know there's a security risk here and there." But it's not a preventative thing, right, it's going backwards and retroactively trying to identify risk and dealing with it.

So I think really exciting advancements in risk-based authentication gathers real-time risk signals from the device that is attempting to authenticate. And using those risk signals to kind of informed step-up authentication.

So Impossible Travel is a really good example of this. If I'm logging in from a location that is physically, that I don't see very frequently. For instance, I'm logging in from Turkey. And, you know, the application knows that I'm not in Turkey.

That's an opportunity where you can say, "Hey, like, can you give me your biometrics? Like, I just need to verify that you're actually attempting this." So geolocation can be a really good risk signal for that.

There's another one that's interesting for security verticals, which is jailbroken status. So if your device is jailbroken, it's much more likely to have malware running on it. And, you know, it's inconspicuous, and it's not the user's fault.

But there are companies out there, specifically in the FinTech space, even more specifically in the cryptocurrency space, because people really don't want their crypto accounts to be hacked, who say, "Hey, like, if you're using a jailbroken device, I'm going to need you to give me your biometric verification." Or, "Don't log in from this device, like go to the web app, or until I have a trusted device, you can't gain access to this account."

Like if you're doing Impossible Travel, like logging in from New York, and then two minutes later logging in from Beijing, like, that's impossible. We're gonna block that. Or you can say, "A jailbroken device, if you're really sure, I'm gonna give you a caution sign, you're gonna give me a biometric. So you're making an informed choice."

I think those are all really good ways to kind of inform the user, empower them. And also give them a little bit of a speed bump in the road to say, "Hey, like, are you sure?"

Richard

Good advice, Jing. I'll get to Heidi next, if I can. We're talking about balancing friction and security when evaluating authentication solutions.

Heidi

Yeah. So the one thing I am thinking about right now. Okay. So when it comes to like devices, I feel like there's so much more that we're able to do on our phone. Like, there's so many more things to tap into to really know the user.

What I have also seen is like, for many companies, including the one I'm working for now, a lot of our customers are in desktop. And desktop, I think, there's more challenges at times with desktop. But, actually, I'm not sure if, like, maybe I am naïve to that. And maybe there's been more progress there.

But I think from a desktop-specific standpoint, I've seen more challenges from account takeovers more than mobile because there are... So I'd love to learn from... I don't have any comments other than questions around devices. And specifically, what can companies do on desktop to really make sure that we're letting the right customers in and adding those speed bumps, I like the way you said that, for the customers, that maybe they're not the customer?

Richard

Ali, how do you guys deal with this? Because you cover a whole bunch of companies which you bring together?

Ali

Yeah. I think some of the existing guidance is similar to what we do as well. We have also employee versus customer-type authentication, and the rules and specifications are different for each and they are tunable. Right, so we can change it according to whatever the use case may be.

But specifically, for internal, and I've seen this as well, is we have tools that we leverage. I'm not familiar which tools they are, because I'm not part of the InfoSec team, but that use AI to use location-based information like IP address and your locale and, you know, other mechanism on Reddit, like browser fingerprinting and things of that sort to be able to identify, you know, "This is maybe a device that's in the right place, but I haven't seen it before." Or, "This is the right device, but why is it in New York now when 10 minutes ago, it was, say, in Dallas."

So I think that using data and AI is probably kind of the way to go, maybe going forward. And without necessarily having to increase headcount and doing any kind of manual interactions. And there's a plethora of tools out there that can be leveraged for that.

Richard

Thanks, Ali.

Luis

Let me add a comment to that. The VPNs, depending on where the user is, and my company has users all over the world. And they really do go all over the world. So we do send those messages. "Hey, are you in Paris?" "Yes, we are." "Are you in South Africa?" "Yes, we are."

So depending on where they are, because we see logins... I happen to be in Houston, we see them in that country, and then we see them in Houston because of a VPN software. We might be able to see very two logins in the U.S. and in that country, very close to one another. So it really depends on the that particular user and the software that they have to be using for anonymity or security. So that's the one exception.

But depending on what security client you have, we have like Falcon from CrowdStrike. Then that brings the second piece that will keep you secure. So AI will come back to the rescue and keep you safe.

So there are some ratings that I pay attention to. And that is it the client will give you a little bit of extra information, and Spotlight also tell you, is this a common thing or is it a rare occurrence? And what is the rating of the risk? So those are two of the things that I look at. Thanks.

Richard

All right. Thanks, Luis. If I can maybe go to Peter, and then over to Jing, please.

Peter

I'm thinking about the risk profile and versus our needs. And other than a subset of our users who we don't want to give access to some part of our public offering, the risk is actually kind of low for our users. It's more about, basically, protecting their scores, and the risk of their scores being, you know, hacked and released is much more of a public relations issue for us, versus some student who does poorly on an exam. Nobody really, other than that student and their school really cares.

Part of the risk factor is, if we were to get, you know, hacked or infiltrated, it's more of a public relations issue. And then it comes down to, you know, when that happens, what measures did we take to prevent it? And what's reasonable?

So it's balancing the public relations of a breach, as well as the user. The data that we have about users, which really isn't all that interesting. It's just people love to point out our flaws.

Jing

Yeah, I think the public relations piece is pretty important, right? There was an interesting research from Ponemon Research Institute, I think it was back in 2020, that said, "Publicly-traded companies experience an average stock price decline of 5%, immediately following disclosure of breaches."

And then afterwards, they experienced a lot of issue with like, acquisition, because the longtail of that breach is kind of a loss of trust in the marketplace, which is bad for business. That's the one thing I'll say about that, like, reputation is pretty important, especially when I think every industry has just an incredible amount of competition nowadays.

And the other thing I'll say is, on the mobile versus web experience piece, this is interesting, because I hear this sentiment a lot. Actually, you know, people tell me, mobile experiences are better because we can actually do more device fingerprinting, device identification on mobile. So we put more trust on the app on the phone. Also, because they can verify possession, right? Give me your biometric, your local pin, and I can sort of understand that you own or can access authentication into this phone. So I do hear that a lot.

At the same time. All is not lost on the web front. I think there's two technologies that I think or standards that I think is really interesting on the web. So there is web crypto, and WebAuthn. I think so, both of those allow you to eliminate the password and instead rely on public private key pairing.

The difference is just like why WebAuthn is associated with FIDO. It leverages hardware TPM. Web crypto uses a software TPM, and it runs in the context with the browser. And I think what that allows you to do is, one, you know, you can eliminate the password. Instead of the password, you're using cryptography that can verify the user's identity with much stronger trust.

Also, while there are browser limitations on the web, so you can't do as exact as device fingerprinting as you can maybe on a mobile device. There are some risk signals that you can maybe look at including browser version, operating system, IP address. If it's a known sort of bad actor acting from a known bad IP address, there's a proper term for it, I'm just forgetting it now, VPN enabled status.

So there are some risk signals that you can gather from the browser. It may be less robust. But for a lot of use cases, it is enough to kind of mitigate a huge amount of the risk. And, again, I think FIDO is pretty widely supported as a standard now. So that's one direction to look at, if you're trying to kind of reduce the risk in a sort of desktop web context.

And, you know, if you have a mobile device, and you want to restrict some high-risk actions to adjust a mobile device where you have better control and visibility. There's an argument to be made for, you know, these features, or these capabilities are only accessible on the mobile device, please go and download it from the App Store. So those are those are my thoughts on the conversation so far?

Linh

Can I ask a question? I'm curious. Did you say mobile apps could help provide some level of security? Or you would approach that, the security around an app differently than if you had your website being accessed via mobile?

Jing

So the website being accessed via mobile, so that's the mobile browser. I'm specifically talking about native mobile applications where you can pull some more information about that exact device in the web context on a desktop.

So we go to website, www., whatever. A lot of companies, those web apps are limited by browser limitations. That browser is not necessarily interacting with the device itself. It's kind of an enclosed environment. So that is kind of the way in which you'd have better device identification and finger printing on a native mobile experience versus a web browser experience, because you're necessarily sort of limited by that browser playground, for lack of a better word.

Richard

Sorry. I put my mic on mute while I was pouring myself a glass of water. I didn't want to interrupt the conversation. Right. So we're kind of onto our final topic of discussion, why reducing fraud and account takeover builds long-term customer retention? Perhaps we could start with you, Ali. Well, what are your thoughts from your organization?

Ali

I think it comes down, a little bit. One aspect of it would be what Peter mentioned earlier, and that's the PR aspect of it, right? If you have a breach or you recorded a data breach, or somebody said you had a breach in the public domain, that impacts your ability to retain a certain type of customer, which may be a large group of customers, depending on the product.

But I would just like speak personally, whenever there's some kind of breach for a company that I use, a product that I use. I get a little nervous. I start looking for a competitor, or at least do some kind of analysis and figure out, could this have impacted me or should I be worried? And yeah, so I think the PR aspect of it is pretty critical.

Richard

Thanks, Ali. Kevin, what are your thoughts? Then we'll go to Peter. Sorry, Peter.

Kevin

I completely agree. And being in the retail space, you know, we've seen, you know, the Target breach was pretty big hit for their bottom line for a while. I know they lost market share during that period. It was not good.

And then, the flip side of that are, our main competitor, who shall remain nameless, you know, it seems like they were made out of Teflon when they got hit because I think that news cycle just happened to be focused somewhere else when that occurred. So you're really rolling the dice.

But I think the costs of a breach have just continued to go up and up. You know, and that's brand damage, that's potential liability that you're paying out. I mean, hell, cyber insurance premiums are going up, you know. You're getting hit from multiple angles. And it's just way too big of a risk because if you lose that trust or that confidence that the public places in you as an institution, then that's hard to win back, especially with individuals.

And if you're dealing with a space where your customer base maybe isn't as technical that makes those risks even higher because they just hear breach, and regardless of what the actual facts are it, it can be just a PR nightmare for those who maybe aren't very, you know, deep into the technical aspects of cyber are, which most of the public are. Let's be honest.

Peter

This actually is an acquisition, a customer acquisition topic too, because, you know, we have B2C products, as well as B2B products. And in the B2B products, we are frequently asked by public universities and school districts to answer a pretty lengthy RFP questionnaire, which includes questions about what our security practices are, and how do we authenticate users? And do we follow different standards to do it?

So there is an aspect of, we put things in place so that we can tell our customers, "Yeah, we're the most secure in the market."

Richard

I'll tell you what. Well, let's go to Jerrold, then we'll go to Jing.

Jerrold

Yeah, this part is a real learning aspect to me because, you know, me being in a CAS industry. You know, most of my issues come from, you know, information data. And then, you know, the pharmaceutical, you know, the Virginia State Board of Pharmacy governs what we do. So it is governed by the federal government. So, and it is medicinal here in the state of Virginia.

So the complications of that information getting out is...and then we violate HIPAA laws and all kinds of... It gets so legally complicated when that information from where my perspective is, is trying to get these guys and educate these guys before we get on that platform of cyber and all of that information being released, trying to get them to understand the ramifications of it with the publicity of it.

That gets way out of control from my perspective and me trying to get these guys to understand that this gets way more complicated, especially when we're talking about pharmaceuticals, we're talking about HIPAA, then we're talking about putting some implementations in place for cyber. And we don't have all the protocols around it and trying to get them to understand that, "Listen, this could be a PR nightmare for a cannabis industry who has just gotten started." This industry, right so the cannabis industry is still fairly brand new. Right?

I want to say this without it being so loose. There are no real protocols and laws around cannabis in that way. As you can see, because there are many states that still have them legal, right? But that's because they haven't figured out what the retail the "retail" portion is going to be. And so it gets a little more complicated.

What can we say? That the cyber portion, it gets is so mucky. And they don't quite understand what the ramifications might be. So for me, I'm learning a whole lot of information and understanding what some of this stuff is and is absolutely complicated because you have a lot of people that don't understand.

And, for the most part, we all understand that security takes money away from an organization. It does not bring you any money. So then there's that part, too.

Richard

You know, some security is expensive. Jing.

Jing

Okay. I had a thought. And then Jerrold said his piece. And now, I have more thoughts. So, right, security is seen as a cost center. But you know what? When you do customer authentication right, it drives revenue.

Like just picture, a world is where there's less friction or minimal friction at registration, login, and recovery. Suddenly, your conversion rates are going up. You're acquiring more users. You're engaging more users and you're retaining them. And all of those metrics are metrics that businesses live and die by.

So I think what's really exciting about customer authentication is not just the opportunity to mitigate risk. But to have the opportunity that once you do it right and do it right by your customers and your company, it actually moves the needle forward in terms of revenue.

And that's why I personally think customer authentication is so interesting, compared to, you know, like employee authentication. Employee authentication is also so complicated with, you know, your EDRs, MDRs, and SSOs, and VPOs, and that tech stack. Anyway, so let's... Oh, go ahead.

Jerrold

For the record, I'm gonna use that.

Jing

Yeah. No, take that, and make your argument for why companies need to invest in customer authentication. Like, you want to see your conversion rates come up.

There was one time, I was talking to a quite a large pizza chain in the U.S. And the security folks were really intrigued by, actually, it was an MBP of our product. So at the time, we haven't made our product into SDK form yet, so it wasn't embedded. And they were like, they loved it. Like it's super secure.

And then they bring it to their marketing team. And the marketing says, "Hell, no, you know, you touch my conversion rate by 0.01%. And I'm gonna strike this down." And that was why, you know, for the Secure Customers product, we really took a look at how to improve the user experience. Because once you can do that, you start being able to, like, really generate that revenue.

Okay. Anyway, so on the fraud and retention piece, I think, you know, we're living in a post-Cambridge analytical world, people are less trusting than ever before. Every industry is competitive. And people do business with the brands they trust.

And I think when you put those factors together, solving the fraud piece is not just like a cybersecurity mandate, but it builds better, stronger customer relationships. Like I will do business with companies that I believe are a good stewardesses of my data and privacy. And I think that's because there's so many, you know...it's easy to kind of focus on consumer skepticism.

But on the flip side of that is, if you do security right, and you have proof points around it, like these are the things that our company does, that can be a competitive advantage for your company. Right?

So your consumers are faced with all these options, and there are consumers that would, that more consumers than ever before start factoring in security and privacy into choosing who they want to give their business too.

So, I think more and more, doing customer authentication in a secure way that eliminates fraud and communicating that to the customers ends up giving companies a leg up when they're trying to, you know, get their market share.

Richard

Thanks, Jing. Let's hear from Luis and then Heidi for me.

Luis

So, yeah. I think as you complete the acquisitions, you want to get every one of those employees active and productive and generating revenue. So I think it's important to pay attention to every one of those alerts and warnings and make sure that they feel welcome.

And, you know, you do want to hear from every one of those folks. So I want to make sure that my engineers are being friendly and listening to every one of those new folks and they welcome them. And, you know, we want everybody productive in generating revenue.

So, you know, friction is something that is not welcome. And if we can make a difference and make things a little friendlier for our folks, whether it's all folks or new folks, it's always good.

You know, we don't want customer attrition or employee attrition. You know, we want to keep them happy. I'm having trouble finding more folks. And so, we are trying to hire more and more folks. And we want to keep the good ones.

I've lost some. I'm not gonna keep them in jail, if they find the good gig, you know, more power to them. I still talk to him. I have some really good friends that have left because they found some good stuff. And, you know, again, I'm not going to keep them in jail. But if I find some more good ones, I'm going to bring them over here.

So those are my comments. Thank you for inviting me.

Richard

Well, thanks, Luis. Heidi, what about reducing fraud account take as well, what's also your thoughts on long-term customer retention?

Heidi

Yeah. I'm thinking a little more along the lines of like, sort of KYC things to avoid some of those things. And what I've learned is that I know that it's true that it does cause friction to put all these things in place. What I have actually done at previous companies was actually put in...gamification is like not quite the right word...but it is like you, basically, you put security methods with building value for customers.

So like actually give them something. If they give you something, another great practice is like give them something return. So how can you actually build value? Is there some business thing that you can actually attach to that?

We did this at Remitly. And we also basically put in celebration moments when they unlocked keys to the kingdom. And that actually increased conversion. And like, from a loyalty perspective, customers were staying. And there's been some, like themes that I've heard that I think are really important that I totally agree with from a customer experience perspective.

Like making sure you talk about things that are transparent to the customer and not shock them. Don't speak in ways that, like all of these words we're talking about, the average human has no idea. Like, talk in, like, fifth grade level so they know and understand. And keep it simple. So just reminding us, like, keep it simple. It's really good. Customers do respond to that.

And, yeah, it's like this whole, like, Jing, you kind of said it earlier, too. And I've used those techniques as, basically, you put in, like change the conversation, not that you have to do this, like, "Hey, in order to protect you and your information, this is what we're asking for. And when you do this, this is what we're going to do in return."

And also, whenever a customer is in a bad scenario, I see a lot of companies do this. And it drives me up the wall. So like marketing emails will keep coming because no one's turn those off when there's like a bad breach or something happening. And now the customer is completely like on a different planet. Because now this like bad thing is happening. But you're telling me I need to log in, like you're promoting something.

So actually HelloFresh did an awesome, there was a case study on this. And I love this case study. Basically, if a customer got bad meat, and they had a bad experience, everything was shut down. So communication was shut down. The whole experience of customer log in was to fix the bad meat scenario.

So that like, I've literally used this with my teams, like we're doing the bad meat scenario where like, basically be thoughtful about what the customer needs to do right now and to guide them to fix a problem. And like you will keep their business because you're not distracting them with bells and whistles all over the place. And you're really seeing the customer for what they're going through. So those are some additional thoughts that I've learned along the way.

Richard

Thanks, Heidi. Thank you. We're about a quarter past the hour. So what I want to do next, because we're sort of beaten for time, I know, we could probably carry on talking for a good while longer. It's just go round, and just get everyone's final thoughts or key takeaways. Just one quick thing. I just saw this of interest, actually, while it was what Luis said. On a previous roundtable, we were actually talking about the customer experience.

And there are two real things that really struck me and might be useful in this conversation. The first was that great customer experience looks easy, but it's really difficult to do and it's underpinned by customer identity.

The second thing, actually, is that if you have the great customer experience and the right tools, then it makes your employees a lot happier. Because then they can serve as your customers so much easier as well. And once again, this all starts from that basic foundation of great customer identity and great customer authentication.

And I just thought I'd share those additional thoughts with you guys. So if I can maybe start with you, Jerrold, what are your key takeaways from today's conversation?

Jerrold

My biggest takeaways are just that, right? Just that conversation you just had, you know. Because I come from an industry of customer service and background and retail, right? And so you have to understand, you know, in order to drive customers, you have to have something simplistic. It's just like, you know, hiding the same plain talk, right that plain talk.

In the army, we call it Barney level, right? You speak Barney level to the customers and they understand it a whole lot better, right, instead of speaking in complex terms for which, you know, we all may understand but everybody may not understand.

And, you know, you keep things also what we call simple, dumb, stupid, right? Hate to use those terms, but when you use that terminology, people are more apt to us to understand it a little more and get through things a little easier. You know, as a customer myself, I don't want anything complex for me to happen. So again, going back to what you say, it's exactly what you just said. It's easy to say it harder to implement.

Richard

Thanks, Jerrold. Luis, what are your key takeaways from today's conversation?

Luis

I guess, one of them is that you can't fix stupid. So you just have to keep your eyes and ears open and keep your data feeds. And it's one of the reasons why I like to attend these security invites. If I happen to have a few minutes free, which are not many, I love to visit and hear other opinions.

And I like to stay humble and remind myself that I don't know all the answers. And you guys do. So you guys are connected to all of the real customers. And I want to hear from the folks that are talking to real customers all the time. So I love connecting with real people.

And so I'm an investor. I'm a user. I am everything. So, and I don't have enough pennies. I don't have enough seconds in the day for all the things that I'm supposed to do. And that's why I'm listening to all of you guys. You guys teach me and I'm paying attention.

So you guys see me that I'm doing a gazillion things all at once. So I'm answering a question in Australia, I'm answering a question in Europe. So, but I'm paying attention to what you're saying. Because I have acquisitions going on. And security is very important to me. And I love it. So thank you for inviting me. I do have to jump to another call. And that it's lovely meeting all of you.

Richard

Thank you, Luis. I appreciate you. Thank you. Peter, why don't you tell us what your key takeaways are for today?

Peter

I really liked the point about balancing risk and friction. And we'll take that back to my security partners about how we might be able to manage that a little bit better. I also, you know, it's a bit of a reminder as much as a takeaway, that where we do have friction and ask our users to authenticate, explain why, the purposes of the authentication so that they can appreciate the value of doing so.

Richard

All right. Thank you, Peter. Kevin, what are your key takeaways from today's conversation?

Kevin

The biggest takeaway is just the notion that I'll say the right kind of frictions or friction under the right circumstances or in the right places. All right, Jerrold. But seriously, you know, when utilized in a way that is expected, that friction can actually drive trust, and it can drive that retention because it helps increase the perception that we're being good stewards of our customers' data and our customers' privacy? So I think that's probably the number one takeaway for me.

Richard

Brilliant. Thank you, Kevin. Ali, what are your key takeaways for today?

Ali

Yeah, I tend to agree with, you know, the rest of my peers. It's a balancing act between friction and the customer experience. And we never probably going to be able to eliminate friction completely. But there's ways to do it in a way that maybe it's not that painful, right? So like communicating why we have to do MFA, or what are the benefits of certain things, or communicating when a breach occurs, you know, what the ramifications of the breach of are and what the scope of it is?

And I really like Heidi's idea about like gamifying some of this stuff like, "Hey, let's make this a game. Give them a badge if they complete their MFA process." And it's a pretty decent idea. That's definitely a good takeaway, at least for me. And I'm really thankful for that and also being a part of this conversation.

Richard

Brilliant. Thanks, Ali. And Heidi, what are your key takeaways from today's conversation?

Heidi

Yeah, I think what this conversation illustrates is that the stuff is never-ending. And it always has to be top of mind. It changes all the time. So that's number one for me. And I think it's a good reminder. Also, I love this sort of notions around dynamic authentication and adding friction where it makes sense. The context, I think, is so great.

And what a great like reminder of like really knowing our customers to make sure that we're not doing the same thing for everyone. We do it when it's right. We do it when we need to. So I think just as the whole notion around really dynamic authentication, I think is really important.

And then I think also we talked about, like making sure that products are really enabled to give the control to customers. So they can do that with end products without having extra layers of friction of talking to people, I think, making sure that we're developing those digital forms for our customers to go do that themselves. And self-service is awesome. And thank you, yeah, this conversation was really great.

Richard

Thanks, Heidi. Well, it's been great to have you all round the table. And we've been hugely fortunate to have Jing from Beyond Identity to really share with us some of her wisdom. Jing, do you have any final thoughts for the group, any final bits of advice?

Jing

Honestly, this is a really sophisticated group. Because, a lot of times, I still hear like, "Ah, is friction really that important?" Or, "You know, we want to just prevent all of this fraud."

But I think we covered a lot of ground, right, like friction is not the enemy. But be mindful about it. I think celebration moment, explaining the why, even like progressively onboarding users, just a little bit of sugar helps the authentication friction go down, you know. Keeping it simple, you know, by default. But like, I wouldn't be afraid of putting up some risk-based step-up speed bumps that help keep users safe.

And I think there's also a really good point to be made that when you kind of resolve the friction for users, some of the friction for your internal teams, like engineering and support, that might also go down because users aren't having to reset their passwords as often or at all. So there's also a flip side of the coin of improving user experience is enabling more agility for your internal teams to build cool features and move the product, the company forward.

So that is my piece. This was a great conversation, y'all. You're awesome.

Richard

Oh, thanks, Jing. I appreciate that. Francesca, over to you.

Francesca

Thank you. And thank you all again for your time today. We've really appreciated all of your insights. Thank you to Richard for moderating. And again, thank you to Jing for bringing her insights as well.

As promised, I'm just going to quickly spotlight the illustration. This will all be sent to you. But as you can see, it just gives a really nice overview, sort of all the main discussion points. So thank you very much, Raquel, again, for that.

I'm just going to really quickly put up a six-question multiple choice poll. I'd really appreciate it if you all answer it, it's just so we can get some feedback on our session to ensure we can sort of improve going forward. It will only take a moment to complete. And once you've completed that, please feel free to drop off the call. And I hope you'll enjoy the rest of your day.

Book

Rela8 Central Roundtable

Phishing resistance in security solutions has become a necessity. Learn the differences between the solutions and what you need to be phishing resistant.

Download the book

By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.