Some online experiences are so bad that 25% of users abandon an application after first use and never return. To avoid this retention problem, you should offer better engagement to your customers during their authentication and authorization process. Engage is the second of four building blocks essential for successful consumer identity and access management, or CIAM. This step comes after Capture, which we discussed in this blog, and before Manage and Admin.

During Engage, you build a progressive, repeatable connection with your consumers while obtaining data. This is important no matter whether you’re selling products, hosting events or setting up regular emails. Whatever you sell, you need this personalized and trusted engagement. It’ll help your brand and your business to thrive and have long-term success. With the Engage part of CIAM, you can reach that goal. Here’s why you need this advantage and how to get there.

Single Tool, One Sign-On for Efficient and Private CIAM

Whether you’re a line-of-business manager, developer, IT worker or privacy officer, the Engage building block is essential to improving your CIAM. It will help you establish and follow a system to solicit personal data. From there, you’re in control over the level of trust required to execute against a selected use case. You can have a check-in process as simple as a password. In addition, you can include other safety measures for more compliance, provisioning, management and reporting during Engage.

This building block is key for maintaining one genuine ID for each user. In the best case, your consumers will deepen their connection with you and sign up for more services, products and campaigns. As they do, it’s ideal that they have just one account with you. By avoiding redundant accounts, it’s easier for your users and you to keep track of what they’re doing.

Learn more on CIAM

Building CIAM and Moving Beyond Marketing

Remember, this building block of CIAM is more than just engagement for buying products or promoting campaigns. For example, if you’re leading a government agency, you must provide public services to citizens and modernize engagement across a vast span of user preferences and channels. Though government agencies often lack a true marketing function, Engage still gives managers a process and mechanism to collect user data needed to be more efficient. It’s a truly versatile building block to add to the way you work.

Your decisions on these and other details when in the Engage process of the CIAM can be good for both you and your customers. You get a consolidated view of identity data across all forms of contact to properly understand your customers and their desires for effective cross-sell or upsell opportunities. In turn, your customers recognize the safeguards you’re taking for their privacy and can feel more confident in giving you more personally identifiable information (PII) as your business relationship evolves.

Achieving security during Engage is important. At the same time, you want to cultivate a long-term relationship with the vast majority of your users who are just trying to interact with you in the process. So, set a level of security with users that’s conducive rather than obtrusive.

The Basics of Login and Logout

Our Capture blog discussed the difference between the two first steps of customer login for CIAM. Traditional registration has users validate email addresses and establish passwords to serve as fraud checks. Meanwhile, users can also allow access to their PII from one of their social media accounts, such as LinkedIn. Both types can serve as the basis for your users’ login process, which includes the following methods:

  • Multifactor authentication (MFA) — two or more pieces of evidence proving the user is who they say they are, such as a credential-based login followed by a one-time password over text message
  • Passwordless authentication — a single sign-on (SSO), such as a social media login or a QR code, which enables custom branding for your organization.

Mix and Match … But Remember the Basics

You can combine these options from your CIAM solution as needed. Just determine which is best to use for targeting the types of customers you seek and the PII you want from them, such as:

  • Mobile phone number
  • Social media login and approval
  • Consumer privacy and consent management, including ID proofing.

For when users log in again, you should choose a lockout workflow in case of a forgotten username or password. This allows for a convenient reminder and method to reset if needed. For example, you can send a one-time password through text or email to confirm their ID and prevent lockout.

Another common lockout method to protect from fraud is the step-up policy. With this, you can ask users to answer a list of questions they must match when they verify their account. Your step-up policy should indicate the rules to users upfront, such as the number of login tries they’re allowed. Many organizations are looking to phase out knowledge-based questions in favor of more modern, secure options for ID verification, such as mobile push notifications or time-based one-time passcodes.

Mind the Logout

In addition, you should choose a single logout approach. For example, a time-bound logout tells users they have a certain amount of minutes or seconds left before their authentication and access to your website ends.

Determine which of these CIAM authentication and notification policies and protocols result in a process that can produce the least amount of friction for your users. Remember, you want trust and transparency so that you can sustain a relationship with your consumers.

CIAM’s Goal: Retain Users and Their Data

Engage is about more than just shaking virtual hands with your customers. Users can and should be able to feel empowered and safe during login and safety checks. You, in turn, should be able to create a process that invokes trust and at the same time provides you with more ways to do business with those users.

When CIAM is implemented with the right strategy and a sense of purpose, organizations like yours can maximize their engagement with consumers while minimizing risks for IT and security personnel. That setup leads to another essential building block of CIAM you need, Manage, which we’ll cover in the next blog entry.

Register to read more about implementing CIAM.

More from Banking & Finance

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

New Fakext malware targets Latin American banks

6 min read - This article was made possible thanks to contributions from Itzhak Chimino, Michael Gal and Liran Tiebloom. Browser extensions have become integral to our online experience. From productivity tools to entertainment add-ons, these small software modules offer customized features to suit individual preferences. Unfortunately, extensions can prove useful to malicious actors as well. Capitalizing on the favorable characteristics of an add-on, an attacker can leverage attributes like persistence, seamless installation, elevated privileges and unencrypted data exposure to distribute and operate banking…

DORA and your quantum-safe cryptography migration

5 min read - Quantum computing is a new paradigm with the potential to tackle problems that classical computers cannot solve today. Unfortunately, this also introduces threats to the digital economy and particularly the financial sector.The Digital Operational Resilience Act (DORA) is a regulatory framework that introduces uniform requirements across the European Union (EU) to achieve a "high level of operational resilience" in the financial services sector. Entities covered by DORA — such as credit institutions, payment institutions, insurance undertakings, information and communication technology…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today