Access management is not just about usernames and passwords. 

With the ever increasing number of  threats, the ideal customer access and identity management (CIAM) system needs additional safeguards to secure the customer’s data as well as the company’s resources.

Currently,  multi-factor authentication (MFA) and single sign-on (SSO) are two security methods that greatly improve the security of enterprise CIAM solutions. The following section discusses each method, and how these methods improve the security of your systems and the user experience of your customers.

Multi-factor authentication

Multi-factor authentication requires the user to present additional verification information, also known as, factors, to ensure that users are who they claim to be. The most common example of this MFA method is the one-time password (OTP) received by users through SMS, email, or mobile app. Users won’t be able to proceed with sign-on, unless they provide the time-sensitive, user-specific OTP.

Two-factor authentication (2FA) falls under MFA and its common example is the one cited above (using OTP), where the first factor is the password, and the second is the OTP. 

Types of multi-factor authentication methods

Multi-factor authentication methods are based on any of the three factors of authentication. These are:

  • Something you know, such as as passwords or answers to security questions,
  • Something you have, such as mobile device or an access card, and
  • Something you are, or something that’s biologically unique to you, such as your fingerprint, voice, facial characteristics, or any of your biometric information. 

Aside from the above-mentioned factors, additional authentication factors can include the following:

  • Location-based factors, where you can set from which location the user account can be accessed, and
  • Risk-based, or adaptive authentication, where the security system analyzes additional factors, including context and behavior during the authentication process. The system then uses these values to assign a level of risk associated with the login attempt.

A strong MFA implementation can and should (if possible) include a combination of the mentioned methods. For example, aside from requiring OTP, you can activate the location-based factors as part of the authentication process. This way, if the account is accessed from outside the approved geographical locations, even if the correct OTP was entered, users will still have to verify their account through other means. This process greatly reduces the risk of compromised accounts from unauthorized access. 

Another example is having a passwordless authentication experience for users. With passwordless sign-on through device authentication, users can register their devices with their account, and then use their devices’ biometric authentication, or PIN, for succeeding sign-ons. Users will no longer be asked to provide their passwords when they use those registered devices to sign on. Passwordless authentication creates a friction-less sign-on process, enhancing the user’s experience with your brand.

Single sign-on

Single sign-on is an access management solution that allows users to access applications and services using a single set of credentials. 

This gives the user a convenient way to sign on multiple applications, websites, and services thus improving brand experience. SSO eliminates the need to remember several username/password combinations, as well as the avoid the risky and unsecured ways of keeping track of these information, such as writing them down on post-its and notepads. Another benefit of SSO to users is that they avoid using the same passwords across multiple applications or services. The practice of reusing passwords is a very serious security risk, since when one site has a data breach, usernames and passwords from that site are exposed to the public and malicious actors. These malicious actors can and will use these exposed username-password combinations on other sites. 

Although convenient, SSO also runs the risk of being a vulnerability: if the main credentials are compromised, the rest of accounts that use the main credentials are also vulnerable. To counter this risk, it’s best to combine SSO with MFA. For example, when implementing SSO, you can also require users to biometric authentication through device authentication. This way, you insure the legitimacy of the users’ identities before allowing them to proceed with accessing other accounts.


In summary, create a strong and secure customer identity and access management solution for your enterprise by using a combination of popular authentication methods such as multi-factor authentication and SSO. 

At Next Reason, we work with enterprises to help them get a better understanding of what authentication methods best suit your business and customer needs, and how to successfully integrate these technologies into your business systems. Contact us today to schedule a free exploratory session where we drill down and map out your identity and access landscape and find the best ways to use our CIAM solutions  to improve security and your brand experience.