Customer experience and cybersecurity, frequently considered separate disciplines, are actually closely connected.
“They actually are two sides of the same coin. You can’t have a good user experience,” said Sean Frazier, the chief security officer at Okta. “Having strong security constructs, is actually part and parcel of good user experience.”
One simple reason is that leaving constituents’ identities and data open to purloining is not good user experience. So cybersecurity is a given. The challenge for agencies is providing what Frazier called good security user experience – and avoiding complicated login and authentication procedures that become a turnoff.
Frazier said that authentication without traditional passwords, long a pursuit of organizations offering online services, is now possible. For employees, federal agencies are already going password-less. That’s thanks to smart cards and the amount of personal, corroborating data about each employee an agency can store.
Still, he added, “I think agencies should really be focusing on, how do we get away from the password. There’s a lot of good technology over the last handful of years that has helped us do that.” Plus, Frazier said, open security standards – in particular FIDO2 – have developed in the banking and other consumer industries that seek to smooth the customer experience and safeguard data.
FIDO, which stands for Fast Identity Online, is a system for two-factor authentication that uses interaction between a user’s device, such as smart phone or notebook computer, and the organization’s web site.
Implementation of these standards centers on smart phones and a biometric factor such as fingerprint or face. Government must “leverage these technologies that people have in their commercial world to get rid of that darn password,” Frazier said.
Authentication implies initially having people prove who they say they are. That can be cumbersome for the organization and for the constituent.
“Identity proofing is a super important aspect,” Frazier said. “But it also has to have less friction for the user. We can’t layer on an identity proofing solution and require that user to go through all these steps.”
The key is use of third party data providers, such as Lexis-Nexis, which have storehouses of vetted identity information. Okta, Frazier said, blends such data sources with its own FIDO2 authentication service to offer what he called “this big identity API [application programming interface] in the cloud.” Okta’s API enablement, he added, lets the company adapt to whatever new, frictionless authentication system might come along.
Offload to the cloud
Using cloud-hosted solutions also offloads much of the administrative work of operating public-facing authentication systems, Frazier said.
“To me, it’s more about focus, it’s allowing the agency to focus on what they do for a living and not become an IT shop,” he said.
Many agencies have focused on two-factor authentication, such as sending a one-time code to the user’s email after the user has partway logged on with a password. Frazier said that, while multi-factor improves security, it’s really a stop-gap measure en route to a no-password future.
“Not every multi factor authentication is created equal,” he said. In areas where smart phones are scarce, organizations might rely on an SMS text as the second factor. Frazier said the federal government is obligated to use higher level, phishing-resistant factors known as universal second factors, or U2F.
“Now we’ve solved the password problem by adding multi factor, [hackers’] next level is to try to attack multi factor,” Frazier said. “So we have to be able to provide a stronger multifactor, which is that phishing resistant capability.” Frazier cited fingerprint sign-on to a computer, enabling the user to go further online. It cannot be duplicated by a malicious third party. In fact, he said said, for this reason biometrics are making a comeback, used by giants such as Apple, Microsoft and Google.
Also important to the user experience is the idea of continuous authentication or continuous validation, Frazier said.
“As long as my posture doesn’t change, meaning my device is in the same place, I’m logging in the same way, all these things look exactly the same, then [the system is] not going to prompt me for anything,” Frazier said. But should the device try to log on from a distant location, the authentication system can add “friction” by requiring more information.
Regardless, the authentication system Frazier described dispenses with USB devices such as YubiKeys or authenticator apps, although that option is available for privileged accounts such as those of systems administrators.
“The beauty of it,” he said, “is this this technology that’s built into almost every commercial endpoint that folks would potentially use.”