Today, consumers manage numerous usernames and passwords. Dashlane, a popular password management app, recently estimated that each consumer has between 90 – 130 sets of credentials, which makes it difficult to remember each. That’s why online services, or Service Delivery Organizations (SDO), need to make consumer access easy and secure. But to do so, SDOs must first understand credential dynamics and where their service fits into their customers’ lives. This allows companies to improve customer experiences, and optimize their assurance, risk and cost.
What are Credential Dynamics?
There are three critical elements of how a credential should be assessed from a user convenience, risk and cost perspective. These include velocity, trust and user motivation.
Credential velocity is a key metric because it measures how often a user accesses a destination service. The more a user visits a site, the more likely she/he is to remember her/his credentials; the opposite is also true. If a user access the online service sporadically, she/he isn’t likely to remember the credentials. Consequently, low velocity coupled with bureaucratic password rules make access a challenge.
The second component is trust. The level of trust required at the destination service is defined by the sensitivity of the transaction being conducted. For example, buying a tool on Amazon is inherently less risky than sharing medical records with a service provider. However, both SDOs—Amazon and the medical record provider, in this case—have a duty to protect and manage personal information, but the consequences are really different. Therefore, every SDO needs to define the level of business assurance they require to transact online, which is informed by internal business requirements, privacy regulations and other jurisdictional statutes that may apply for the industry they operate in.
The final element of credential dynamics is that users do not manage all their passwords with an equal amount of care. There is a gradient of increasing diligence/care by the user based on the importance of the account (i.e. Amazon password vs. online medical record portal). Therefore, the “motivation to recover” is a measure of how important the service and credential is to the customer. It’s measured by the speed and effort a user exerts to regain access if/when she loses it.
Now that you understand the components of credential dynamics, there are two conclusions you can take from this:
If your service is naturally a low velocity for your customers, that is not something you can fix. What you should do is look for a credential federation service that allows your customers to use a higher velocity trusted credential they have already. Check out SecureKey Concierge, which works with the largest financial institutions in Canada and secures millions of credentials for citizens for high assurance use cases. Facebook Connect and Google Connect are good alternatives if your service does not require high assurance.
Make sure user motivation is matched to the assurance level you require. If you require high assurance but your credential is not one the customer really cares about, then the attack surface is enlarged. Crooks can take over the account – and your customer may not notice right away or mistake an account takeover as forgotten password – and not report lost access to you. The crook continues on and the customer diverts to your more expensive channels.