When companies are designing security protocols, they shouldn't sacrifice security and protection for customer convenience, instead, always strive for both. Never expect 100 percent perfection in designing and deploying security firewalls and solutions. Keep board members in the loop and accountable at all times on security issues. The effects of breaches reach even beyond those whose data are directly affected. Although new ways to authenticate are being deployed that could one day lead to the demise of alphanumeric passwords, they will likely still be a part of login experiences, depending on point of view.
These are a few of the themes that emerged as security and identity company Averon recently convened C- Suite executives and technology thought leaders in New York City in a wide-ranging dinner discussion touching on how companies are balancing identity, privacy and good customer user experiences along with a bit of prognostication of how things are heading on the authentication front.
The off-the-record dinner, hosted June 27 by Averon's Wendell Brown, co-founder and CEO, and Mark Herschberg, CTO, at Andaz 5th Avenue, brought together representatives of industries including blockchain, crypto, finance, non-profits, academia, health insurance, identity, publishing, technology, and venture capital.
CTOs face challenges today to ensure security without creating an inefficient user experiences especially since complicated user experiences like two-factor authentication (2FA) can lead to poor usage and compromised security. Product managers, on the other hand, are designing technology products for mobility and efficiency. Their objective is to enhance the user experience, but they are challenged to design products that are secure without causing frustration.
Companies are having to walk that fine line / tricky balance to serve both critical areas and be aware that the public is reaching or, perhaps, has already reached, as some noted, breach fatigue with news seemingly daily of another company being hacked.
The group noted that security teams and management shouldn't expect 100 percent perfection in designing and deploying security firewalls and protection. However, as long as a company is transparent with its customers and employees that designing for zero tolerance is unattainable, the company is showing good faith in doing all it can to protect its customers and its internal business. Accept that missteps will occur and nothing will ever be 100 percent perfect, so that should be considered when designing.
Passwords, 2FA, biometrics, blockchain–these strategies all have their upsides and their challenges and frustrations as authentication solutions, the group concluded. Privacy concerns have recently ratcheted up globally and have lately been a steady presence in the news. Privacy is fundamental to the flow of activity in the marketplace, the group noted, and transparency from companies is critical to that.
In terms of data privacy, while some have admitted that they don't mind if certain things (for example, their favorite wine) are revealed online for simple marketing purposes, the general consensus among the group is that the focus should be on what's most concerning to people and companies, such as having more of our financial data exposed online.
As one person noted, all hacks impact customers of a company, even if the hacks don't directly involve them: "We've socialized all these things. We are all paying for it (credit card fees, etc.). The conversation has to be elevated. There's no discourse for these failures. We're all paying for (these company hacks). We're socializing these losses."
Others noted that some may be willing to give up a bit of privacy if the experience is more seamless and easier to navigate.
One possible solution to help customers navigate which digital products to download and engage with could be a standardized Cybersecurity Rating similar to what industries such as restaurants and the automobile industry (car safety) employ–but for apps. It would be a transparent, easy way for customers to make a decision on whether to download or not without having to wade through reviews, which can also be suspect.
Regarding board members, the group consensus is that boards should be accountable regarding security measures. It's important to educate board members, keep them informed regarding security matters and maintain a constant dialogue with them on these matters. It's also important to be transparent internally and with customers. If a breach should occur, own it and communicate internally to the company and externally to customers through whatever public outlets are necessary. Bring the board into the process from the start as the internal and external strategies are built.
Closing out the evening, the group was asked to crystal ball when alphanumeric passwords would end. Answers ranged from two to three years (for more progressive, newer companies unencumbered by legacy technology) to 40 years (for those perhaps anchored to tradition). The general range was five to ten years, with some feeling passwords may never entirely go away.