cyber daily logo

Breaking news and updates daily. Subscribe to our Newsletter

Breaking news and updates daily. Subscribe to our Newsletter X facebook linkedin Instagram Instagram

Top 3 trade-offs commonly encountered in identity security circles

Organisations can see a pathway to secure systems that doesn’t come at the cost of user experience, writes Steve Dillon, head of APAC architecture at Ping Identity.

user iconSteve Dillon
Thu, 23 Jun 2022
Top 3 trade-offs commonly encountered in identity security circles
expand image

The identity technology world forces us to make trade-offs. These difficult decisions are an endless exercise in technical and logistical nuances like developer and IT resources, product licences, integrations, and deployment methods.

Some of the most common trade-offs in identity management are security v experience, platform v best of breed, and fast v thorough.

These trade-offs have traditionally limited organisations as they attempt to design a secure and seamless identity and authentication experience for their users.


Organisations and IAM professionals alike often wonder to what extent they are stuck with these trade-offs and the bad experiences that accompany them. However, it is possible to break the cycle and rise above them.

It is worth exploring each of these trade-offs in a bit more detail, as well as strategies and tools that identity administrators can use to counter their ill effects, without compromising security.

Security v experience

Choosing between experience or security is a losing proposition today. It has been for some time; this trade-off is also known as usability v security and is a debate topic on many technology projects.

Historically, and even today, identity has been more focused on security than on user experience. No user, whether an employee or a customer, wants to deal with an identity process that is often perceived to sit between a user and what they want or need to do.

Identity systems’ reliance on passwords is part of the issue. The less frequently a user accesses a resource, the more likely they have forgotten their password, and the more challenging the identity process will be for them. They are likely to face additional challenges such as questions, SMS or QR codes to authenticate. These add unnecessary friction to the end-user experience but provide some assurance that the person requesting access or information is who they say they are.

Until recently, there haven’t been identity management and authentication options that are secure but also preserve the user experience. Instead, it’s been the classic trade-off scenario. Choose experience and you increase customer and employee retention and satisfaction but increase your risk of a security incident; choose security and you mitigate breach risk at the expense of a great user experience.

Human-centric identity offers a path forward. For users, it means interacting with a simple user experience associated with an identity that may include passwordless options like SMS or biometrics, for example. Ultimately it may mean that, through the use of machine learning, the company can identify the user by attributes alone – such as device, location, or usage patterns, allowing that individual to skip a more visible or disruptive authentication process. When more organisations reach this point, the security v experience trade-off will finally be resolved.

Platform v best of breed

This is another debate that has raged for decades, but is still very much applicable to the identity management space: is it better to try to address all aspects of identity through a single technology stack, or to find and stitch together a series of specialist components that are – operationally or functionally – the best available in their respective domains?

In many ways, this is less of a trade-off in identity, though, since there’s no such thing as a single identity vendor that can deliver everything that is needed from a technical or experience perspective.

Vendors understand and accept that they are part of an identity ecosystem and need to deliver capabilities that support that. They need to build to open standards – and many already do this today.

But beyond that, vendors need to deliver platforms that are vendor-agnostic, and that allows companies to use the platform and some of the products that are natively built on it, but also integrate third-party components into the platform so they become part of a seamless workflow.

Allowing companies to have a choice of which technologies to plug into their ecosystem is foundational to enabling human-centric identity, and to resolving this particular trade-off.

Fast v thorough

This is also known as the speed-accuracy trade-off. While it still exhibits trade-off characteristics in domains like machine learning (where accuracy at inference is likely to be favoured over speed to train or run the model), when it comes to identity management, the ideal scenario is that authentication processes exhibit both characteristics at once i.e. they are both fast and thorough at the same time.

Brands looking to build experiences that stand out in a digital-first world must be able to answer the question “Who are you?” instantly and accurately. If they can’t do that as soon as a customer touches their digital properties, they risk frustrating the customer, losing revenue, and opening the business up to fraud or reputation-damaging data breaches.

Identity with the lot

While these trade-offs can limit an organisation's ability to design a secure and seamless experience for users, this is changing, courtesy of moves towards a human-centric identity. This starts from the position that a balance of needs or requirements is possible.

Organisations can manage identity in a way that emphasises security and the user experience: that is fast and thorough; that is best-of-breed but uses no-code or low code orchestration and workflow automation to stitch all the pieces together seamlessly as if it was run and purchased as a single stack.

The traditional trade-offs encountered in identity management are starting to dissipate as a result.

Steve Dillon, Head of APAC Architecture at Ping Identity.

cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.