If drawing a crowd at Gartner IAM is proof, it’s fair to conclude: identity professionals are hungry to hear from other companies that have crossed the chasm — from risky passwords to passwordless customer authentication. It’s a journey that warrants strategic tips and insights from security experts with hands-on experience, preferably those who’ve achieved large-scale success. And that’s certainly the case with Citigroup.
In a conversational session, “Rolling Out Passwordless to 200 Million Banking Clients in 160 Countries,” Transmit Security’s SVP Field CTO Craig Currim sat down with Citi’s Director and Global Head of Identity & Access Management Engineering Matt Nunn. Gartner organizers said it was in the top three talks at the event.
We certainly couldn’t do it without a customer like Citi, willing to share their story. Matt Nunn gave attendees illuminating and tactical advice, loaded with real-world scenarios. In the session, Citi’s Matt covered:
If you have an all-access pass to Gartner IAM, you can re-play their full session. Or keep reading to get the best highlights of their talk. It’s trimmed down to give you the most valuable information from their Q&A:
Craig Currim with Transmit Security: Matt, tell us, why do you think passwordless matters?
Matt Nunn with Citigroup: If you think of why we had passwords and pins, the reason is: the only interface you had in the computing environment for the individuals to use was a keyboard, right? And you had to have something to try to identify what was going on and how they were interacting.
So if we’re thinking about passwordless, the idea is to expand the scope past that limitation. We’re in a different place now with our devices, services and analytics and on the backend. So if you are still limiting yourself to something that no longer makes sense to secure at scale, get out of that whole routine.
A lot of other passwordless solutions bring them in by saying, “Here’s a password, reset it, and this will be your fallback anytime you have an issue, and if you forget how to get into your account, we’re going to reset with a password.”
Craig: Also, passwordless is one piece to strengthening credentials. There are still many areas in the identity lifecycle that you were thinking about — from account origination and KYC processes to continual risk and analysis. You’re thinking about that holistically.
So let’s introduce FIDO2 and Webauthn, what everybody is talking about. How do you see that? Is that a silver bullet that’s going to help address 80% of the risk?
Matt: You can’t limit the idea on credentials as being the only thing that determines whether or not something is risky. When you try to figure out your risk posture, you say, okay, this is green; we know that. This is red; we know that. We don’t know enough about this middle, and it’s gray. So we’re going to try to figure out how we want to run within that space. And now we’re shifting it. You’re getting a lot more analytics and information.
So instead of just having the green at the front door zero trust identity is in there. And what that means is you’re continuously looking at information along the journey of the individual. You see when they’re coming in, when they’re resetting it, what they’re trying to do. You’ve got passive behavioral biometrics with profiling and all the data analytics on the backend.
You’re enabling those services to make really good judgments and reduce that whole idea of the grey. You have a better idea of the green and the red and a lot less in the middle where you’re willing to balance the equation.
It’s not determined by how good you think you’ve built the systems to communicate with each other. A lot of systems were built one-to-one. And if you leave out the idea that the individual can interface with your backend servers on other devices, you’re missing valuable pieces.
Craig: So what do you see with your user base? Since they’re coming in with FIDO or a stronger level of authentication, which by definition can be multi-factor, does that enable you to carry them into other parts of the journey where you might normally have to challenge them with another form of step-up.
Matt: That’s a good point because, even with OTPs, you’re still interacting with the user through the interface of a keyboard. Instead, you have these devices that are interlocked on the backend that can provide the information across the channel and pop up a challenge to them and have them attest to it, sign it and send it back.
You know, security is like water. If the attackers see something in front of them that’s going to stop them, they are going to flow around it. They’re going to see that you secured this. And it’s a little bit more difficult and they’re going to start to look at the other areas around the whole process to determine how else they can get in and how they can look like good people. If you’re not continuously assessing those things together, you won’t see an attack coming in here.
Craig: Tell me what your approach in non-digital channels? What about the call centers? How do you carry this methodology? What’s your approach there?
Matt: Call centers are doing things like knowledge base questions, security questions, which can be compromised, right? So how do you interact with those individuals so that you increase the security with the capabilities you use in the other areas?
A lot of people look at FIDO, and they think passwordless, right? And if you look at the core capabilities underneath it, it’s stronger than that. But you shouldn’t be doing the enrollment of it based on a password. So you have to plug it, and the enrollment and the resets.
You’re interacting with your clients to say you’re going to see less friction because we’re going to do something securely between your devices in your interfaces; we see you regularly use that, and we will interact with you through those channels, behind the scenes, which is a lot faster if you reset them back to a password, passwords are still going to be a problem.
Craig: So there’s a process of phasing as well. Identity is layered so there’s a lot to consider when you’re looking at building a holistic solution like this. What did you have to think through when it was a build versus buy decision?
Matt: Citi is definitely a large corporation and very complex and when when I’m thinking about build versus buy, I think from a business perspective. Building a one-off proprietary solution is hard to justify when there are solutions on the market. Why are they not good enough so that you need to build your own? It’s not that you can’t. Usually, it’s very expensive, and then you still have to maintain it and iterate on top of it with changes, new standards and update it.
But the real thing you lose is that you are limited to only what you believe the solution should be. There is no other input. So yeah, you can do it. It’s going to be expensive. It’s going to be very difficult to maintain. And you miss out on the input that makes products better on the market because there are other companies using it that give input, and they might have an idea that goes into that product that you didn’t think about. Then that product has a new capability that you just roll out, that enhances your business. It is very hard for a single company to do that.
Craig: What do you see as the barriers to passwordless adoption? Like you said, I think it’s a really great point, passwordless does not always equal FIDO. What if the channel or the device doesn’t support FIDO? People are looking at these standards. They think, “I’ll just go do it myself.” So what do you see as the barriers to implementing passwordless? And then what are the barriers to user adoption?
Matt: So the implementing part, you know, it takes a lot to really get it right. Look at what your current architecture looks like and as you’re rolling this out, you want to be very strategic in your first iterations. Are you trying to increase security and reduce the friction to your customers? What are the pain points? Do you already have an attack vector that you’re trying to solve? Do you already have losses because of SMS OTPs? You have to target specifically where you need to start and then transition.
And if you’re doing it yourself, you’ll take one use case. And then it’s very hard to get the structure right so that you can expand to those other cases in the full lifecycle. So it’s better to have something that has the ability to flex and shift within this design by nature than to try to design that yourself.
Craig: There’s also a uniform way to integrate and have the same user experience across channels and applications. When we were working together, we had to address your many different apps and each one functions differently. So what happens to the user experience? How does that look?
Matt: Yea, it wasn’t just enhancing one channel. [We were] looking at products that cut down the developer lifecycle and overhead to design each channel and in its own way. So not only does it save the developers, but then it’s intuitive to our clients. Whether they’re interacting on their mobile or computer or the web. It’s the same. You want to make it consistent across the board.
I like to say: you want to give the user the ability to choose their own mechanisms. How do they like to interact with you? You don’t want to limit them. You want to give them options, kind of a ‘change your own journey’ book. Do you like biometrics? Do you like push notifications? They’re going to be determining how they like to interact. And if you carry it through all the channels, not only do you get a good experience, it increases the security. So there’s no downside. And they no longer have to be the custodians of passwords, insecure elements that we build identity on.
Craig: What advice do you have for the professionals in identity in the audience who want to embark on this journey?
Matt: The key is to understand your environment and what you really want to achieve. Zero trust for identity is really important. So if you are thinking about an integration at a specific point, don’t limit your scope. Think broader. Think of the other tools that other groups use that can use your data to have better fraud and analytics information to enhance their experience. The whole journey is really important. And even if you’re successful, if you’re able to kind of collaborate and expand the scope, there’s a better narrative for the whole business for the whole company and where you need to go.
Craig: As a customer, you’ve worked with Transmit Security for seven years now. We’ve worked together on many, many projects. Can you share your experience of working with us?
Matt: There are a lot of vendors out there that do a lot of great stuff. I always say it’s important to understand the architecture and understand the products on the market to make sure that you are aligned in terms of where you want to go. And having a partner like Transmit, where they understand and are aligned with such a complex large architecture like we are running in multiple countries with various regulations, is key. The ability to share information and ideas and see where the product should go and have a true partner on that journey with you.
You need to have somebody that really is in the trenches, continually enhancing product with you in this area, and they have to understand the challenges you face.
To sum it up in Craig’s words at Gartner IAM
When we look at identity, we don’t see it as a binary, one-time event. We look at the entire lifecycle of what happens, starting with the first time users interact with your organization. You really need to think about all these different components. Registration, onboarding, identity verification, recovery and continual assessments across this entire journey, so you get a better level of assurance. You can get to know your customer better to ultimately give them a more secure experience and a better user experience.
Modern CIAM services
As you begin your CIAM project, consider every aspect of identity — from password-free logins and real-time risk assessments to unified visibility. Transmit Security CIAM services are cloud-native and purpose-built for enterprise scalability. With developer-friendly APIs, you’ll speed time to market with your passwordless or CIAM initiatives.