E-BOOK
CUSTOMER ENGAGEMENT STARTS WITH SINGLE SIGN-ON (BUT IT DOESN’T END THERE) ANSWERING HIGH EXPECTATIONS WITH 03 CUSTOMER SSO
05 EXCEED EXPECTATIONS WITH CUSTOMER SSO
SSO IS WINNING THE CUSTOMER 07 EXPERIENCE BATTLE
TABLE OF 10 TODAY’S STANDARDS & WHY THEY MATTER
CONTENTS 12 SSO AND YOUR MOBILE CUSTOMERS
15 STEP-UP AUTHENTICATION
17 CIAM SOLUTIONS GO BEYOND SSO ANSWERING HIGH EXPECTATIONS WITH CUSTOMER SSO ANSWERING HIGH EXPECTATIONS WITH CUSTOMER SSO
CUSTOMER EXPECTATIONS ARE HIGHER THAN THEY’VE EVER BEEN.
This is true not only as it relates to the quality and relevance of products and services, but also for the quality and relevance of your customers’ experience with your brand. They expect secure, seamless and consistent interactions, regardless of the channel or application they’re using.
Authentication is an easy place to fall short, since your customers have to sign on and authenticate every time they interact with your digital properties. If a customer has to create and remember multiple login credentials to access the various channels, applications or services you offer, they’ll quickly get frustrated.
Many companies begin their customer identity and access management (customer IAM or CIAM) journey by providing single-sign on (SSO). Single sign-on is a great first step and critical to making your customers’ authentication experience as convenient as possible. But SSO is just one small piece of the puzzle.
Your enterprise will likely outgrow the need to only provide SSO to in-house applications. As you integrate with more and more internal and third-party apps, you’ll quickly find that managing access on your own is no longer realistic and hinders your speed to market.
Implementing a federated SSO solution allows you to accelerate new offerings, while also delivering consistent and secure experiences to your customers. The Ping Identity Platform does this and more with its standards-based, customer IAM platform.
E-BOOK CUSTOMER ENGAGEMENT STARTS WITH SINGLE SIGN-ON 4 EXCEED EXPECTATIONS WITH CUSTOMER SSO EXCEED EXPECTATIONS WITH CUSTOMER SSO
SSO DRIVES CUSTOMER EXPERIENCE & REVENUE FASTER TIME TO MARKET FOLLOWING M&A Eliminating the need for repeated user sign-ons is one of the top reasons to implement ACTIVITY a customer IAM platform. SSO increases user satisfaction and enhances security Many Ping Identity customers mention the ability to more quickly deploy revenue- by eliminating password sprawl. It can also have a direct impact on improving the generating applications following mergers and acquisitions. One customer says: customer experience and driving revenue, according to Ping Identity Platform users.
“If we have an application serviced by an external
INCREMENTAL REVENUE FROM IMPROVED third party, we can integrate the application using CUSTOMER ENROLLMENT RATES Ping, so the customer never knows that there’s a third The Ping Identity Platform offers federated SSO, as well as many other customer- party involved, and the interface has the look and feel specific identity management capabilities. Leading enterprises praise its ability consistent with the rest of our website. This would be to enable more seamless enrollment into customer-facing applications. One Ping extremely challenging to do in-house on our own.” customer explains:
Several customers called out the ability to quickly integrate and then white- “We’re a diversified company and have certain applications label applications with revenue impact as a notable benefit of the Ping Identity for which it would be unacceptable for the customer to fill out Platform. For example, an enterprise can align with a business partner to offer their information every time they wanted to initiate access to services under a revenue-sharing arrangement, while maintaining its branding a specific product or service. We couldn’t make our customers on the product. re-enter that information every time. With Ping, we’ve been able to quickly integrate applications.”
Other customers noted that integrating customer enrollment applications enabled them to decrease their sales cycle.
E-BOOK CUSTOMER ENGAGEMENT STARTS WITH SINGLE SIGN-ON 6 SSO IS WINNING THE CUSTOMER EXPERIENCE BATTLE SSO IS WINNING THE CUSTOMER EXPERIENCE BATTLE
In this age when customer experience is king, customer IAM is critical. If your customers can’t easily register, sign on for services or conduct transactions, then it really doesn’t matter how your website, mobile app, services or support channels are built. And if your customers aren’t satisfied with their interactions with your brand across channels, they can and will move on to your competition.
If there’s one thing customers hate it’s managing passwords. The fatigue of trying to remember dozens of login credentials can lead customers to write passwords down, reuse passwords across multiple sites and take part in other insecure practices. Aside from this all-too-common reality, relying on passwords alone can also increase your abandonment rates, leading to lost revenue. There’s a real possibility your customers may not complete transactions if they can’t remember their login password. Or they may not register at all if they don’t want to create yet another password they’ll have to remember.
This is where federated SSO really shines. It plays a critical role in delivering a seamless authentication experience across all of your digital properties. It can even include features like social login that allow your customers to leverage their credentials from sites like Facebook and Google. Providing these capabilities for your customers speaks volumes. It says you want to make things simple, convenient and secure. That makes for happy customers.
On the other hand, not investing in customer IAM and federated SSO can jeopardize your relationship with your customers. Their tolerance for clunky, disjointed experiences is dwindling as more and more companies—including your competitors—are providing the seamless experiences customers expect. By not providing federated SSO, you may be sending the unintended message that the customer experience isn’t important to you and unwittingly aiding those same competitors.
E-BOOK CUSTOMER ENGAGEMENT STARTS WITH SINGLE SIGN-ON 8 SSO IS WINNING THE CUSTOMER EXPERIENCE BATTLE
BASIC SSO FEDERATED SSO Commonly known as password replay, basic SSO is based on two concepts. The first is Federation is the ability for a user to authenticate (or prove they are who they say they are) just password vaulting. This is the storage of the user’s password in a directory or password once, and then use that authenticated session to access all of the applications they’re authorized to vault, that’s usually cloud-based. It’s risky, because if that vault is ever compromised, all use. For federation to work, a trust relationship between an organization and an external third party, of the passwords become vulnerable, even if they’re encrypted. such as an application vendor or partner, must be established through standard protocols.
The second concept is password replay, where passwords are retrieved from the vault This method has one critical advantage over password replay. Rather than storing and forwarding and replayed to the web application. While convenient, this approach isn’t as secure as many usernames and passwords, federated SSO replaces passwords with signed assertions or federated SSO. Keeping the passwords synchronized across all of the applications can tokens. Using identity standards, like Security Assertion Markup Language (SAML), OAuth, OpenID be problematic and expensive, particularly when manual password resets are involved. Connect and SCIM, federation allows for the secure transmission of user access and provisioning Plus, the practice of password reuse is still possible, presenting additional security risk. information. This safeguards web and mobile applications, as well as the APIs that support them.
E-BOOK CUSTOMER ENGAGEMENT STARTS WITH SINGLE SIGN-ON 9 TODAY’S STANDARDS AND WHY THEY MATTER TODAY’S STANDARDS & WHY THEY MATTER
Identity federation standards are an essential part of implementing scalable and secure SAML federated identity across an organization. Not only do they reduce the integration efforts SAML is an open XML standard for exchanging authentication and authorization of between multiple organizations when sharing applications and data, but they also bring data between an identity provider and a service provider. It enables federation so that security to any device, browser or client that’s accessing information from applications. For organizations can safely share identity information across domains. this reason, embracing standards is also key to reducing time-to-market for new applications. OAUTH 2.0 Each standard uses a different approach to sharing and managing customer identity data, OAuth 2.0 is the industry-leading standard for enabling access to APIs. Simply put, it’s a scopes, credentials and more. So your CIAM solution should provide support for multiple standard framework that allows an application to securely access resources on behalf of the standards, including: user without requiring their password. This open authorization also lets the user understand what kinds of access and information the application is requesting, and then provide consent. SCIM The System for Cross-domain Identity Management was developed in 2011, using OPENID CONNECT modern protocols like REST and JSON in order to reduce complexity and provide a more OpenID Connect adds an identity layer to OAuth 2.0 and simplifies existing federation straightforward approach to user management. The adoption of SCIM allows easier, more specifications. It enables identity federation, as well as delegated authorization, and it powerful and standardized communication between identity data stores. includes other features and mechanisms that enhance dynamic interoperability.
E-BOOK CUSTOMER ENGAGEMENT STARTS WITH SINGLE SIGN-ON 11 SSO AND YOUR MOBILE CUSTOMERS SSO AND YOUR MOBILE CUSTOMERS
When addressing customer experience, you must consider the WORLDWIDE MOBILE APP REVENUES IN 2015, 2016 AND 2020 mobile experience, too. Customers expect to do more and more (IN BILLION U.S. DOLLARS) with their mobile devices—including making purchases and other revenue-generating activities. They don’t want to fuss with remembering passwords and won’t tolerate clunky login procedures. And regardless of how many separate development teams it took you to develop your mobile app and other digital properties, your customers expect their authentication experiences to be consistent across all of them.
To be relevant in a mobile channel requires speed. People immediately reach for their phones when they want something and expect immediate gratification. If you provide a fluid, seamless and secure user experience with SSO, customer engagement is yours for the taking. But if your mobile authentication experience is poor or different from that of your other channels, your customers won’t stick around. It’s that simple.
High-profile retailers, like Wawa, Starbucks and Chick-fil-A, say that Source: Statista the SSO capability in their customer IAM solutions is critical to providing a good mobile experience and driving increased customer engagement. These leaders are paving the way with best practices for SSO mobility.
E-BOOK CUSTOMER ENGAGEMENT STARTS WITH SINGLE SIGN-ON 13 SSO AND YOUR MOBILE CUSTOMERS
Before they launched their mobile app, Wawa had primarily one-sided communication with its customers. As a top convenience retailer, Wawa worked hard to ensure that convenience translated to its mobile application; multiple sign-ons were not an option. While the initial rollout goal was 350,000 users, the end goal is 2 million fully engaged mobile customers. WAWA: A (MOBILE) CUSTOMER SSO SUCCESS Wawa is a 100-year-old, $9.3 billion convenience store retailer on the East Coast who “We needed to make sure there was a simple authentication method, basically some decided to meet its customers where they are—on the road in search of gasoline and sort of user ID and password, with [federated] tokens, so users don’t have to always snacks. Eric Barnes, Wawa’s applications manager, says that customers had been sign on to the app,” says Barnes. “For example, if a user just wants to jump on to asking for a loyalty program and a more convenient way to pay for purchases. find a store location, no sign-on is necessary. But if they want to add a credit card or A mobile app was just the ticket, but it had to be easy to use. change information in their profile, there’s a secure yet seamless method for that. As consumers use all the different features, they are constantly authenticated back within the application.” “We have a very strong customer following. With mobile engagement, we wanted to interact with The user has one set of credentials and signs on to the app just once. But on the customers on a more personal level and give them back end, the CIAM solution manages multiple credentials, including those from third parties, like Wawa’s loyalty program provider. more capabilities, including the ability to check
gas prices and find the nearest Wawa.” “We have ease of use, single sign-on for the front end of the customer. And it’s very - ERIC BARNES, Wawa Application Manager fast in responding,” says Barnes. “For Wawa, customer SSO is the very foundation of an engaging mobile experience.”
E-BOOK CUSTOMER ENGAGEMENT STARTS WITH SINGLE SIGN-ON 14 STEP-UP AUTHENTICATION STEP-UP AUTHENTICATION
STEP-UP AUTHENTICATION BALANCES SECURITY Furthermore, authenticating via SMS has been deemed insecure by the National WITH CONVENIENCE Institute of Standards and Technology (NIST), as SMS messages can easily be Multi-factor authentication (MFA) and federated SSO go hand-in-hand in delivering an intercepted by hackers. optimal user experience. To provide the simplest experience with the least amount of friction, many leading digital businesses utilize social login or require a username and When providing MFA for customers, it’s most desirable to offer a solution embedded password as a first means of authentication. This is a great entry point for access to low- into your own mobile application. This is not only secure and on brand, but it also adds risk applications, services and activities. value to your mobile app by turning it into a secure additional factor. Going a step further and using contextual, adaptive authentication with multi-factor authentication As the customer moves along their journey, adaptive authentication offers a way to helps to mitigate risk without inconveniencing customers, providing the optimal evaluate the risk associated with additional interactions and step up authentication only balance between security and customer experience. when needed. Adaptive authentication uses data points—like IP addresses, geolocation, transaction details, risk-based authentication (RBA) and other behavior patterns—to determine the level of risk. Then, it matches that level of risk to the level of assurance attained during authentication. A username and password may have a low level of assurance, while MFA may yield a higher level of assurance.
For example, if a customer signs on to an investment application to simply browse public stock information, their credentials alone may be enough to get them access. However, if they attempt to sell or purchase stock, that riskier transaction can trigger a requirement for MFA to attain a higher level of assurance about the user’s identity. If they then try to sell another stock a few minutes later and from the same device, MFA likely won’t be required because that higher level of assurance will still exist. This is just one example, but it illustrates how adaptive authentication allows you to selectively step-up authentication using a risk-based approach.
Selecting what MFA method/s to offer is an important decision. For customers, standard MFA simply won’t work. Customers aren’t willing to download a third-party MFA application.
E-BOOK CUSTOMER ENGAGEMENT STARTS WITH SINGLE SIGN-ON 16 CIAM SOLUTIONS GO BEYOND SSO CIAM SOLUTIONS GO BEYOND SSO
As crucial as SSO is to your customer experience, it’s only the first step. Your customer expectations for a secure and seamless experience extend well beyond their initial sign on.
If your customers update a preference or detail on one channel, they expect it to apply or be accessible to any other channel. You accomplish this through a unified customer profile. Purpose-built customer IAM solutions can work with your enterprise’s existing infrastructure to help you create a secure, scalable unified profile through bidirectional synchronizations and migrations of your existing customer data.
Your customer data also needs to be secured from authentication to the data layer. You must provide a convenient and secure MFA solution for customers that doesn’t require them to download a third-party app, because they usually won’t. You must also secure access to resources, encrypting customer data end to end and providing other security capabilities to protect your customer data and prevent breaches.
Aside from allowing you to deliver an exceptional customer experience, CIAM facilitates your ability to meet the requirements of increasingly diverse privacy regulations. A modern solution will provide attribute-by-attribute data access governance, enforcing customer consent and giving customers control over and insight into who their data is being shared with. It will also be flexible to address the scale and performance requirements needed to support thousands or millions of users, while providing the flexibility to support changing and unpredictable user behaviors.
All of these customer IAM capabilities are critical for today’s customer-facing enterprises and can help ensure your competitive advantage for years to come. To learn more about CIAM solutions, read our Ultimate Guide to Customer IAM.
E-BOOK CUSTOMER ENGAGEMENT STARTS WITH SINGLE SIGN-ON 18
Ping Identity envisions a digital world powered by identity. As the identity security company, we simplify how the world’s largest organizations prevent security breaches, increase employee and partner productivity and provide personalized customer experiences. Enterprises choose Ping for our identity expertise, open standards leadership, partnership with companies like Microsoft, Amazon and Google, and collaboration with customers like Boeing, Cisco, Disney, GE, Kraft Foods, Walgreens and over half of the Fortune 100. Visit pingidentity.com.
#3005 | 08.17 | v01