Powered By

UX is the New Security

When it comes to customer identity, user experience is king – so much so that UX has become a part of the security equation itself. Think about it: a frustrated user is a security risk. If you make registration or login a nightmare, users will do all the wrong things – reuse weak passwords, write them on sticky notes, or just give up and take their business elsewhere. As an IAM veteran, you might recall how overly complex password policies can backfire. (Remember forcing employees to include hieroglyphics in their passwords?) Research shows that as password complexity requirements go up, users are more likely to reuse passwords across sites¹​ – which is bad news in a world of constant data breaches. The lesson? For customers, convenience is security. A smooth experience not only makes users happy, it actually keeps them safer by reducing the incentives to sidestep security controls.

What does “UX is the new security” mean in practice for CIAM? It means designing login and signup flows that are frictionless by default, adding friction only when necessary. For example, many successful customer sites let you browse or even fill a cart without logging in, only prompting for an account when you’re ready to checkout – by then, you’re invested in the purchase and less likely to bounce. It also means offering modern, easy-to-use authentication options. Gone are the days of “create an account and wait 24 hours for approval.” Today’s users expect one-click social logins, magic links in their email, or passwordless OTP codes sent to their phone. Passwordless authentication (via email link, phone OTP, or newer passkeys) is a win-win: it’s easier on the user and eliminates the password security headache. Likewise, social login (e.g. “Login with Google/Facebook/Apple”) can massively streamline onboarding – one tap and done. A caveat: always provide a standard email/login option too, for users who don’t want to use a social account on your service.

One powerful UX technique in CIAM is progressive profiling – asking for minimal info upfront and gathering more data over time as trust builds. This strategy can dramatically improve sign-up completion rates. Why ask for full name, address, phone, blood type, and first-born’s nickname just to create an account? You’ll scare people off. Instead, collect the bare minimum to register a new user, and get additional details later once the user is engaged. For instance, a neobank might let a new customer start using a basic account with just an email and phone number, and only later prompt them to provide extra KYC details (like an ID document or address) when they attempt a transaction that requires it. This way the initial onboarding is quick and painless, and the deeper identity verification happens when necessary rather than all upfront. Industry data backs this approach: allowing users to sign up fast and gather info gradually can reduce initial registration abandonment by up to 40% in some cases² In other words, more people complete signup when you don’t overwhelm them at hello.

Pitfalls to avoid: Don’t collect data just because you can. Every extra field in your signup form is another opportunity for a user to say “nah, too much work.” Also, be mindful of mobile users – a form that might be merely tedious on desktop could be torture on a phone. And if you’re tempted to mandate some convoluted password with 3 uppercase, 2 symbols, a haiku, and a hieroglyph – pause and reconsider. 😅 The best CIAM implementations now employ user-friendly security measures that actually improve UX. For example, many platforms (including Descope) support passwordless and passkey authentication out of the box, letting users log in with a fingerprint or a magic link without ever setting a password. This both boosts security (no password to steal) and delights users with its ease. Similarly, CIAM solutions let you integrate things like one-time passcodes, push authentication, or social login via simple SDKs or no-code widgets. Platforms like Descope focus heavily on guiding users through a fully branded, easy-to-follow registration and login process – because if your signup flow feels like a root canal, all the security in the world won’t save you from customer churn.

Bottom line: In CIAM, a smooth UX is a security feature. The easier and more intuitive you make it for legitimate users to access your services, the less likely they are to slip into insecure behaviors or give up. Treat every extra click or confusing prompt as an enemy combatant. As one CIAM expert nicely put it, you want to eliminate needless friction for known good users while keeping the bad actors at bay​.³ Make the “happy path” truly happy for your customers – they’ll reward you with loyalty (and completed logins!), and your security will actually be stronger for it.

Heading to RSA?

Let’s catch up and talk all things Identity

CIAM’s Dark Side: Fraud and Risk

Where there are user accounts and juicy data, there will be villains trying to exploit them. This is the dark side of CIAM – the constant battle against fraud, bots, and abuse. In the customer-facing realm, you can’t rely on a security team watching over every login or a helpdesk manually verifying new accounts. The scale is huge and the attackers know it. So, what kind of threats are we talking about?

One big menace is fake account creation. Automated scripts (bots) or fraud rings will attempt to register tons of bogus accounts on your platform for various nefarious reasons – to spam content, to farm referral bonuses, to credential-stuff into accounts later, or to mask other exploits. How common is this? Sadly, very. In one analysis by a security firm, fake account creation was among the top bot attack categories observed, alongside things like account takeover and scraping​⁴.

And according to Okta’s 2024 security report, nearly a quarter of all login attempts on online services were identified as credential stuffing attacks (bots trying stolen logins)​⁵

So if you feel like you’re besieged by bots – you are not alone. In fact, some experts estimate that a majority of traffic hitting public login pages these days isn’t even human at all, but malicious automation⁶. Yikes.

Consider the story of Clay, a hyper-growth SaaS startup that ran a free trial program. They discovered that almost half of the signups for their free trial were fake – bots or throwaway accounts that never led to real customers.⁷ These fakes skewed their metrics, wasted resources, and even started abusing the system (scraping data, etc.). Clay’s team ended up implementing robust bot detection and verification steps to eliminate the bogus accounts, which resulted in saving them an estimated $175k in costs and adding $150k in real ARR by focusing on genuine users . The kicker? They achieved this without adding friction for legitimate users – a theme we keep coming back to. They likely used behind-the-scenes detection (device fingerprinting, IP reputation checks, etc.) to stop obvious bots, and maybe a challenge (like email or phone verification) only when something looked fishy. The result was a dramatic purge of fake accounts and a clearer picture of their actual customer funnel.

The other big bad is account takeover (ATO) and fraud on existing accounts. This is when attackers try to break into real user accounts, often via credential stuffing (trying username/password combos leaked from other breaches), or phishing the user’s credentials, or brute force. Once in, they might steal personal info, use saved payment methods to commit fraud, or piggyback on the account’s legitimacy to do bad things (e.g. send spam from a compromised account). We’ve all gotten those “we noticed a new login to your account from X device” emails at some point – that’s CIAM doing its job to alert or stop an ATO in progress. The scale of this threat is massive: those Okta stats above about 24% of logins being credential stuffing attempts show how relentless it is⁸. And credential stuffing is cheap for attackers (they can buy a million leaked passwords for a few bucks), but potentially devastating for businesses who suffer the breaches. It’s been blamed as a leading cause of user account breaches across industries. So your CIAM better be prepared to detect and block unusual login patterns, and to protect users even if their passwords were stolen elsewhere.

Aside from bots and credential crackers, CIAM also has to contend with things like fraudulent transactions, social engineering, and abuse of user privileges. For instance, an e-commerce site’s CIAM might detect if one account is suddenly placing hundreds of orders with different credit cards (possible stolen cards being tested) – that’s a red flag. A social media platform’s CIAM might need to catch if a single person is creating dozens of accounts to spread propaganda or harass others. A banking app needs to worry about device cloning or SIM swap attacks that could hijack OTPs. The “dark side” is, unfortunately, creative.

So how do we fight back? Modern CIAM platforms arm you with an array of defense mechanisms to detect and mitigate fraudulent activity:

• Bot Detection and Mitigation: This can include integrating CAPTCHAs or more sophisticated “bot traps” into flows, using device fingerprinting, rate-limiting unusual activity, and checking reputation databases. For example, you might use a service that scores how likely an interaction is from a bot versus a human (based on mouse movements, IP, past history, etc.). If the score is bad, you either block the attempt or challenge it (e.g. present an “are you human?” test or require email verification). Many CIAM solutions now offer native bot detection features or easy integration with anti-bot services. Descope, for instance, provides native and third-party risk signal integration to spot bots and stop them at the door.⁹ Descope’s platform advertises capabilities to “stop bot attacks on your login pages” and prevent abuse like credential stuffing by combining MFA with risk analytics. The aim is to weed out scripts and bogus signups without inconveniencing real users (who breeze through normally). Think of it as having a silent bouncer who only intercepts the shady characters in line while waving regular customers through.

• Multi-Factor Authentication & Adaptive Challenges: We discussed adaptive MFA earlier as a balancing tool; it’s also a critical anti-fraud measure. If an attacker somehow acquires a user’s password, the secondary factor can block the door. Especially for sensitive accounts, enabling MFA is one of the most effective ways to prevent ATO. CIAM best practice: offer and even encourage users to set up MFA (e.g. via authenticator app, SMS, or security key). Some services now even mandate it after certain triggers (e.g. if we detect a prior breach of that user’s password, require MFA enrollment). Adaptive policies can trigger MFA for suspicious logins as noted. All this ensures that even if passwords are weak or compromised, the account isn’t toast. Pro tip: If you can, move toward phishing-resistant MFA options like FIDO2 security keys or platform biometrics – these mitigate the risk of even the MFA channel being attacked.

• Anomaly Detection and Risk Scoring: This is where some AI and machine learning often come into play (more on AI later). CIAM systems can analyze patterns of normal user behavior and flag anomalies. For example, if user Alice always logs in from California and never at 2am, and suddenly there’s a 2am login from overseas, the system should catch that. Beyond location, anomalies could be based on device, time, frequency of requests, and even behavior once logged in (like suddenly accessing very different parts of the app). By assigning a risk score to each authentication or action, the CIAM can decide whether to allow, block, or step-up authenticate. Many platforms including Descope allow hooking into custom logic or third-party services for risk scoring – e.g., you could use a fraud scoring API that looks at email, IP, device reputation in real-time and returns a risk level, which your CIAM workflow then uses to choose a path (e.g. high risk = require phone verification, low risk = seamless continue). This sort of intelligent filtering is crucial in an age where bad actors often try to blend in with good users. They might rotate IPs, mimic browser headers, etc., so a multi-signal approach is needed.

• Fraud Prevention Integrations: CIAM doesn’t exist in a vacuum. Many organizations integrate their CIAM with downstream fraud analysis tools or SIEM (security event and incident management) systems. For instance, if you have an e-commerce site, you might connect your CIAM events (logins, signups, password changes) with a fraud system that also watches transactions. If that system sees a mismatch (like user changed password, then 5 minutes later shipped an order to a new address in another country), it might flag for manual review or automatically cancel the order. The point is, CIAM provides the identity context needed to assess trust in an action. In some cases, CIAM solutions themselves offer these advanced checks – e.g. some have built-in rules like “if user creates account and within 1 minute attempts a very expensive purchase, mark as high risk.” Combining identity data with activity data helps catch clever fraud patterns.

• Tools to Combat Spam and Abuse: Not all bad things are logins. Sometimes the account is real but gets used in an abusive way (think: a fraudster convinces a real user to create an account and do something). CIAM can help here too. For example, rate limiting how many accounts one email or IP can create in an hour can prevent someone from making 1000 accounts for spam. Email verification can ensure throwaway emails don’t flood your database (though determined spammers use real email accounts, so not foolproof). Phone verification is another, often more serious step – requiring a phone number that gets an OTP. Many bots avoid giving a unique phone due to cost, so that’s a higher assurance (though again, balance: requiring phone for all users may hurt conversion in some markets). Descope has connectors with services like Telesign to do phone number reputation checks and verifications, helping validate that a new user’s phone isn’t a known VOIP or scam number . This kind of integration can thwart bots and fake identities (for example, if 200 accounts all used the same phone or a sequence of burner numbers – big red flag).

To sum up the dark side: assume you’re a target, because you are. Build your CIAM with layered defenses – something like the “Swiss cheese model” where even if one layer is bypassed, others stop the threat. Monitor continuously, adapt quickly (attackers certainly do), and keep the impact on legit users as low as possible. If UX is the Jedi knight, think of these fraud measures as the lightsaber – an elegant weapon for a more civilized age, keeping the empire of bots and thieves at bay.

Additional Reading

The Last Word

Shout out once again to our friends over at Descope for sponsoring this edition of the newsletter. I’ll say it again: I really love what they’ve done with their product and how easy it makes integrating authentication and authorization into your application and a whole lot more. Make sure to show them some love!

If you’re at RSA this year, let’s connect! Some exciting things are happening in the world of identity and would love to hear your take.

What’s the next deep dive edition you want to see? Let me know, till next time…