Trust is the currency of the digital age - and it’s running out

Trust in digital services is declining across the board, with no industry reaching even 50% in high trust. Why do you think this is happening?

John: Consumers know that the personal information they share with digital services is being used for marketing purposes. However, they are often not comfortable with onward sharing with third-party organizations. But in many jurisdictions, they have no control over this. Users are not free to modify Terms of Service. They see the effects of this unwanted, onward sharing in their inboxes, messaging apps, and social media feeds every day. Consumers are also aware that many of the organizations with which they initially share data are not doing their utmost to protect that data. They read about breaches, get notifications that their data has been involved in breaches, and get offered limited identity monitoring services as a result. The growing lack of security and concern for privacy have and are continuing to erode digital trust.

Additionally, many users perceive that customer experience across all industries is sub-optimal and, in some cases, degrading. The continued reliance on passwords, and password reset policies and procedures feel like “broken windows” online. Unannounced changes to CIAM systems sometimes necessitate re-registering and sharing personal info all over again. It makes consumers extra wary.

Consumers do encounter sites that do it right, meaning the use of better registration methods, progressive profiling, honest disclosure about information sharing with opt-outs, and more friendly and secure authentication mechanisms such as passkeys. Then they visit other sites that still have antiquated registration and authentication methods and find them lacking.

Haider: Ever heard the phrase, “You are the product!” Perhaps it’s not that bleak, but there’s more than just a hint of truth in that statement. Many organizations are in a race to amass data on their users, sometimes unnecessarily. Consumers are becoming a lot more aware and a lot more stingy, rightfully, in giving up their data too. This behavioral change and general awareness of you being the product is leading to a decline in trust.

With 37% of consumers saying they share data only because they have to, and 33% unsure how it’s even managed, how can brands be more transparent and give people better control over their personal info?

John: Terms of Service should be clear and succinct. Pages of legalese are not only going to make users think “TL; DR”, but it will push some of them away. Provide users with the ability to opt-out of detailed data collection and onward data sharing. This is mandatory in some areas, but not all. Having options for the privacy conscious may win their business.

Haider: Terms of Service is just the tip of the iceberg. Responsible brands need to not just genuinely care about personal data privacy, but actually show it too. But how? For starters, how about collecting data progressively. Often called progressive profiling (and we do need to come up with a better name for it), organizations should only collect the bare minimum data that they need for serving the customer. At a later stage of the customer’s journey, if there is a need for more information, it should be done transparently at that point. But at a more strategic level, brands need to think about privacy-by-design – respect customers’ privacy and give them the controls necessary to change their preferences at any stage of their journey.

Banking is still the most trusted sector, but even there, trust is slipping. What lessons can other industries take from banking — both in what it’s doing well and where it’s falling short?

John: Banks and other financial institutions do tend to have better cybersecurity and identity management for two major reasons: regulations are stricter, and attacks on financial infrastructure and customer accounts are directly measurable. The connection between Account Takeovers (ATOs) and the bottom line is crystal clear for banks, but perhaps less so for some other types of organizations.

Several years ago, major global banks made significant investments in Two-Factor Authentication (2FA) or Multi-Factor Authentication (MFA), integration with Fraud Reduction Intelligence Platforms (FRIP), and general account security. This improved their overall identity management and security posture and brought them in line with regulations that required at least 2FA. However, many of them have not kept up by shifting away from SMS OTP to passkeys. When consumers can use passkeys at a few leading retailers, for example, then have to log in to their bank with username/password plus SMS OTP, they sense that banks are not on the cutting edge of protecting their accounts anymore.

Haider: If you go back to the inception of banking, it was an institution built foundationally on the notion of trust. And it still is, in the digital age. There’s something really telling in the survey data though – only 32% of those aged 16-24 show trust in banks as opposed to 51% of those aged 51+. For social media companies, while generally low, the trend is the opposite, as the younger generation sits at 7% as opposed to 1.5% for the 55+. So, even the banking sector can’t afford to be complacent. There’s a fine balance between security, privacy and user experience that governs the level of trust. While other industries can learn from banks’ security practices, they have quite a lot to learn from others on better consumer experiences if they want to remain relevant in the future.

Password hassles are pushing people away. 75% want passwordless logins. What’s holding back wider adoption of passwordless and how do we move past those barriers?_[HI2]

John: Budgets, lack of executive buy-in, and lack of awareness of customer preferences or concern about the customer experience are the primary reasons. Budgets for identity management within cybersecurity portfolios have been trending upwards in many organizations, and that is good news. Budgets for CIAM upgrades (passkeys, for example) should be under the purview of the marketing, digital experience, or web development teams. Procuring money for CIAM upgrades should be comparatively easier than for general IT due to the direct revenue generation capability.

Executives may be satisfied with their CIAM but also not realize that the customer experience could be better than what it is currently. IAM and security practitioners should try to keep their management and executive teams informed about CIAM state of the art and emphasize the potential improvement for marketing and thus sales.

It is also possible that organizations are not overly concerned with improving the customer experience, particularly if the organization is well-established, has a loyal clientele, or feels like their customer experience is not only sufficient as is, but is part of their overall brand. In these cases, “comparison shopping” of competitors or organizations in adjacent fields may help sway decision-makers toward improving the customer experience and digital trust.

Haider: When speaking of passwordless adoption, we’re often thinking in terms of adoption by our customers or our own employees. But one group of important users often gets left out – third-party users such as your suppliers, partners, brokers, agents, etc. In a survey of such third-party users, we discovered that 40% users were resetting their passwords once or twice a month, leaving them frustrated. A lot of the great recommendations shared by John are equally applicable to these third-party users as well. Building a great customer experience is not possible if you have disgruntled employees and these third-party users, who are often pivotal in delivering amazing customer experiences. Think about a subcontracted customer support agent, taking a call from an agitated customer. The last thing the customer wants to hear from the agent is, “I’m sorry, this might take longer than expected; we’ve run into some ‘technical’ issues,” when behind the scenes, this agent is struggling to find the password to the CRM application! Taking a more holistic approach to implementing Passwordless for all user constituencies is likely to produce more transformational results, rather than piecemeal adoption.