Don’t Trade Security, Regulatory Compliance For Speed To Market

Many governmental agencies and industry-sponsored consortiums are enacting legislation and crafting regulatory standards to protect the users and their data.


Digital transformation initiatives are mission-critical for the success of virtually every type of business today. These strategic efforts are aimed at rapid innovation, staying competitive in the marketplace and facilitating engagement with a broader target market and customer base.

In today’s software-driven world, consumers are able to engage with organizations through a wide range of digital channels (voice, email, social, web, mobile, app, IoT, etc.) and through a growing number and diversity of devices. Software development efforts have increasingly shifted to Agile methodologies, where DevOps teams can deliver software value faster, with greater quality, and predictability—all at scale. But, with a heavy focus of software development being the speed to market, security and regulatory compliance needs are often perceived as needlessly slowing down DevOps efforts. However, due to the sensitive nature of the data that is transacted and flowing through these digital channels, many governmental agencies and industry-sponsored consortiums are enacting legislation and crafting regulatory standards to protect the users and their data.

Some of the more commonly encountered compliance standards include the personal data privacy protections associated with the CCPA (California Consumer Privacy Act), and GDPR (General Data Protection Requirements) for citizens in the European Union. In the healthcare industry, HIPAA (Health Insurance Portability and Accountability Act of 1996), is a strict U.S healthcare patient record privacy protection regulation. Other frequently encountered regulations are those associated with the credit and payment card industry through, PCI-DSS (Payment Card Industry Data Security Standard), which was originally developed by a number of major credit card companies to protect against payment fraud. And new payment protections enacted to protect EU citizens, by making payments more secure through the PSD2 (Payment Services 2 Directive).

The challenge is in how to shift the business mindset to view compliance-related efforts as strategic, offensive vs. defensive initiatives, that can enable the business to deliver better digital products, provide better digital experiences, make better business decisions and as an added measure of overall corporate success.

One such example for consideration is the ubiquitous compliance risks associated with username and password authentication methodologies that have been the foundation of digital identity and security for over 50 years and are present in most organizations today.  A side effect of digital innovation is that it is driving an ever-growing number of user accounts, and continues to amplify their frustration and the burden placed on them having to remember multiple passwords. And hence why it is common for them to reuse the same password for multiple accounts, or employ easy-to-remember passwords with both methods being easy to hack. In addition to sacrificing customer experience, negative impacts include increased support costs to reset forgotten credentials, account resets and most importantly, the security and compliance risks posed by compromised credentials.

Virtually every security industry survey and report cites the vast majority of the sources of data breaches, (80%+ according to the annual VDBIR (Verizon Data Breach Investigation Report)) are caused by compromised username/password credentials gained through phishing and brute force attacks with material negative impacts on regulatory compliance. This also exposes the organization to the potential for devastating impacts on revenues, customer relationships, industry status, competitive positioning and beyond.

As such, an initiative that is gaining tremendous steam is the elimination of username and password credentials for authenticating users in software applications, and replacing it with standards-based, MFA (multi-factor authentication) methodologies such as those developed by the FIDO (Fast Identity or ID Online) Alliance. This approach employs the use of biometrics (such as fingerprint, thumbprint and facial recognition), user-to-device validation with encrypted public/private key pairs for authentication. And in the case of PSD2 regulations, this type of authentication methodology is mandated. Predictions are that by the end of this year (2021), there will be over a billion devices with biometric authentication methodologies built-in, so it is likely this trend will continue to gain momentum.

To continue the success of digital programs and initiatives will require that software developers think more holistically about customer engagements, as they develop and upgrade applications, including the elimination of risks early on in the dev cycle to enable compliance with an increasingly complex set of regulations. By taking a standards-based MFA approach (using biometrics) DevOps teams can have material, positive impacts on their customer’s experience, foster increased customer trust, reduce support costs, and at the same time facilitate greater security and compliance built into their products.


Mike Reinhart is the senior director of product marketing for Nok Nok Labs, helping organizations transform the consumer authentication experience powered by a passwordless, secure and scalable authentication solution with the broadest adoption in the market.