In today’s digital ecosystem, users are accustomed to getting what they want—and getting it fast. Our phones unlock themselves at a glance, our laptops unlock with a swipe of our finger across a scanner, our laptops unlock because they recognize the presence of our pin-secured watch on our wrists. Research has shown that this kind of connectivity is both convenient for users as well as important security elements for the end user.
Allowing users to access secure files, webpages, or systems without needing to enter passwords, filling out Captchas, or undergoing other manual security steps is part of what is called “zero friction” cybersecurity. And these methods are more than just convenient: they can often be more effective at preventing fraud than some traditional methods.
At the RH-ISAC’s recent CISO Executive Roundtable, sponsored by Shape Security, security executives from some of the industry’s leading companies shared their experiences on the fraud implications of the mass digital adoption due to the global pandemic. The need to mitigate bot activity was a major source of discussion among participants.
Captchas are a traditional method of bot mitigation. In theory, these prevent bots from entering the system because completing them generally requires human interpretive intelligence. In practice, they can be beaten by brute force in the form of a botnet hitting a page thousands and thousands of times with the goal of some randomly selecting the correct image or entry.
Traditional cybersecurity thinking believed that additional user friction was an inevitable byproduct of security measures. The thinking was that security required users to suffer through additional steps to add security layers; longer passwords that they would need to update more frequently for example. In some cases this is still true, but lower (or zero) friction security measures that use biometric information, that recognize known devices, or that allow for other nontraditional authentication measures can provide the user with the best of both worlds in the form of added ease of legitimate user access and greater difficulty for illegitimate access. Think about your Gmail or Facebook accounts. When was the last time that you used your passwords there? For some of you, it is likely that may have been quite a while for access on your personal machine because those sites have implemented long-lived sessions on recognized devices; making the act of logging in from those trusted devices relatively effortless.
There is another side to this as well. Security measures that are effective in stopping bots or malicious actors may also impede legitimate customers. Sumit Agarwal, VP of analytics products at F5 and co-founder of Shape Security, shared some insightful metrics during his presentation on New Online Fraud Schemes Targeting Retails and Restaurants. He asserted that every consumer-facing website experiences friction and about 10% of attempted logins failed enough times to require the user to reset a password. Of those 10%, more than half were legitimate returning customers who just could not remember their passwords. These users were about half as likely to continue as those users who were able to log in without issue.
At its core, this CISO Executive Roundtable discussion showed that cybersecurity does not always have to inconvenience your users, and that just because something is inconvenient does not necessarily mean it is effective. Zero friction cybersecurity can be harder to achieve, but it can pay off both in increasing top line revenue, and in mitigating bot attacks.
RH-ISAC is hosting a series of CISO Executive Roundtable meetings. If you’d like to know more or are interested in attending, contact firstname.lastname@example.org.