 Hello everyone, I'm Sundesh, your host for today. I work at Amazon as senior product manager technical at London. Before we start, just a standard disclaimer, the information shared in the session are my personal opinions, my current and past employers are not responsible for any content or opinions expressed. Also, the examples used are for illustration purpose, I don't endorse them. So the topic for today is customer experience versus security. As a product manager, on an everyday basis, you face this dilemma on how to provide a superior customer experience at the same time providing a sound security. So let's dive into this topic today. Now, before we actually jump into the topic, a little bit about me. You might be wondering, who is this guy and why should I listen to you? Fair question. So a bit about me. I used to love trigonometry or mathematics in my school, so I would describe myself as someone who transitioned from a rectangle to a square or to a circle to a square. So this is how it is. So I graduated as a computer science engineer, started a career as a UX engineer and then transitioned to a product manager post my MBA. And I was lucky enough to travel between these three figures at the same time, between different continents from Asia to Middle East to Europe. If you're keen to know more about me, you can follow me on LinkedIn or Kinect, and we can have a chat. Coming back to the topic for today, which is customer experience versus security. So the main problem occurs because there is a difference of expectations between both of the parties here, which is a product manager and an infosec team for a company. So for a product manager, the user expectations are there should be a seamless one-touch access across all platforms. There should be a simple sign-up process. There should be some personalized offers. The list is just endless, but have it for any applications, any device or anywhere access. If at the same time, what does an information security team expect? They expect that the information security criteria are made. There are additional due diligence for user sign-up journey for banks, for example, the data is compliant for, for example, GDPR or privacy. There are enough mechanisms on identity management, device, user and application. So if you see the difference of expectation is quite clear. So what I try to do is I put this into a two-by-two matrix of a CX versus security and then putting it across as good and bad or low or high, across four quadrants. So if you're, if I'm starting from the bottom left quadrant, if you're a bad CX and low security, everyone suffers. There is just pain, which is followed by another pain. For example, using the default passwords to log in to app, no system checks. We will get into the examples more into the following slides. Similarly, if you provide a good CX plus low security or a bad CX plus high security, the chances are you may not hit that sweet spot which we'll touch eventually how to achieve that sweet spot of good CX plus high security. Essentially living there is what every product manager aspires to be. So let's go into one by one. So the first example is bad CX plus low security. So I have an example from back home, the old IRCTC website in early 2000s. I had a complex ticket booking flow which was difficult to navigate. So a typical user journey at that time was, user had to select a quick book checkbox but when customer went to the login page, there was no quick book button. So once user discovered this, the booking journey had a short time on. So though there was a limit on the work tickets you can book through website, there was no check on the username and password via email verification. So the consequences for this where customer journey was broken which was difficult to navigate and complex. And because of the bad CX, people preferred booking tickets via Kiosk or from the ticket vendors despite having an online website. Also the no email verification or user registration mean data was found for hacking and abuse by fraudsters. So this I'm talking about early 2000s. If you see the website today is a superior website which is much cleaner but this is just an example of when the internet era arrived in India, how the website were there. Coming to the next example, which is a good CX plus low security. So essentially no check on passwords. So here most of the web application don't use a password strength check while setting up the accounts. This used to be a common case. I would say maybe five to 10 years back. Nowadays, most of the good web applications do have this password check but how the user journey used to be if you haven't seen those that user can create the account by setting any password because there is no check users can set the easiest password just to complete the registration. Users love this as this is an easier step for them to create password. Although no checks for password creation is a good CS. Passwords are prone for hacking. So the screenshot below is the worst passwords of 2020. Most use passwords at their apps or website and corresponding number of users and time to crack it. If you see the list is a no brainer like the numerical, the subsequent numerical like one, two, three, four, five, six or using password as a password is like the easiest to crack is less than a second. Moving on. So this one is bad CX and high security. So this is something which apparently Google faced for a device controller app. So this was an app which enabled device management for credit providers in Kenya. So if you haven't heard about this app, just let me walk you through the user journey here. Users can buy Google Android go smartphones in installments with a telecom provider. If they don't pay their EOI for a month the device will be locked. A credit provider can remotely restrict access to Android device if you don't make payments. If Android device is restricted basic functionality such as emergency calling and access to statings will still be available. So what happened was users were frustrated with the experience when the device was locked. As they weren't told explicitly about this configuration that if you don't pay the EMI, your device will be locked. So this app was kind of a very strange avenue for Google. It was additionally strange that this app was hidden away on the Play Store separated from the rest of the Google LLC product and user didn't like that and had since then question. So I pasted a few of these screenshots which you can see on the page. The app is no longer available but then this was kind of a strange move by a company. Now the next one is on bad CX plus high security. And the example is OTP overkill. So initially when the one-time password when they were introduced, it was a novel idea for critical financial transactions. But over the time it has been used for all the transactions for most of the banking. So the typical journey, most of us had seen this. Users locked into the account using password authentication code is sent to the user's mobile phone and user enters OTP and granted access to online account. But this OTP over kills is making users frustrated because for every transaction, especially if you are traveling and don't have access to network or in roaming, it becomes a nuisance and causes a lot of frustration for users. So it should be used judiciously for critical financial transactions alone. Now, how do you achieve from no security to perfect security? Essentially, as a PM, you need customers should buy your product so that you become a happy PM. And since the security team also wants their demands are satisfied, essentially a happy infosec team. So a sweet spot of overlap provides your minimum viable security plus optimal customer experience. And it's not like if you do that, you'll not get the competitive business advantage. In fact, organizations or enterprises or the entire ecosystem has leverage this competitive business advantage and we will see that in the subsequent slides. The first one is good CX plus high security at the grocery store or commerce. So this is from somewhere close from my home, Tesco get go. So this is open in London, UK and like traditional shops there are no registers or cashiers. No need to wait in line and you can just walk in and pick out what you want. You just have to sign in using your Tesco account once before entering the store. And in case you prefer, you can always go to the cashier. So I have a short video, just see this, just have a quick look. Since the launch of our first get go store in High Holden, we've listened to lots of feedback and we've taken lots of learnings. So I'm really excited to share with you today a new hybrid shopping experience in full and reach where customers can choose to pay using React or through the checkouts in the store. Here's how it works. To try our new Frictionless technology simply open the Tesco grocery town. Select get go from the settings section of your profile page and check your payment details are up to date. We anonymously track the items you select using special technology from free growth that monitors the movement till you walk around the store. We don't store any customer images or data but assign a unique ID to you as you enter the store. You can also shop with friends and family by simply scanning them in on your app and then you choose to use a self scan checkout where a colleague will always be on hand to help or by simply scanning your app as you exit the store. So I would suggest if you're in London just to go out and check this out. This is really cool. And this hybrid store was opened recently. You should definitely check it out and other organizations have also replicated similar setups in their respective journeys. Coming from a FinTech or a banking background this is something which always gets debated that how do you achieve a superior customer experience and high security. So this is a classic example of video KYC at N26 which is a German challenger bank. The customer can download the app and complete the registration. The cool thing about it is for ID verification if your address is outside Germany the ID verification is done by taking a selfie and photo of your ID through app. And if your address is in Germany you can do it through an in-app video by pairings a smartphone with your account. This is an innovative way of doing ID verification which is secure and a great customer experience. In fact N26 was one of the first one to start this way but nowadays most of the challenger banks or newer banks in different parts of the world have adapted this feature since then. The next example is at a regulator level. So we saw e-commerce, we saw at a bank. Now how it's achieved at a regulator level. So I have an example if you're from a FinTech or a banking background you must have heard this term 3D secure too which is prior to 2020 for an e-commerce journey through credit card required information such as great card number, expiry date and a one-time verification code. But the framework introduced by EU's Revised Payment Service Directive mandated the customer's making purchase online to provide more information like in the form of a passcode or a fingerprint or a face ID. So this provided customers a strong customer authentication depending on the devices they have. As the change is implemented not just at merchants level but at bank and the payment service provider level. So this gave an additional security secure layer to customers and they were no longer worried about that whether their transaction is unsecure or not. Moving to the last example which is at an ecosystem level. Today is something where I used to leave previously from Dubai, Dubai airport customer experience like a few months back Dubai airport recently started testing IRISCAN which is like contactless technology eliminating the need for any human interaction when entering or leaving the airport to control the spread of the COVID-19. Previously, so the user journey before check-in was scan your passport details, page or your emirate ID which is like a social security number looking in the camera and wait for OK on the screen and gate opens. And now the user journey after check-in is instead of a manual check for paper tickets or phone apps now you can look into the camera wait for OK and gate opens proceed for flight boarding. So the entire process is now seamless and take literally five to six seconds at each leg. If COVID has beyond us so you must have been traveling a lot but this airport experience of border control and going to the gates is always painful. So this was something a novel experience which was done by Dubai airport. So the takeaways from today's session is like the expectations of a customer and a security team are always at loggerheads be it a physical product, physical product or a pure play digital product. But businesses that provide a minimum viable security and optimum customer experience are building a strong competitive advantage against peers. We just saw it for different players like e-commerce or for a bank or a regulator or an entire ecosystem as complex as an airport. There can't be a one size fits for all solution while building a great experience at the expense of high security and to borrow the famous cartoon one size fits all. If you try to combine all running, hiking, climbing and cycling all in one you'll get something like a complex shoes which no one will wear but that's what everyone tries to do to hit the sweet spot but you need that optimum balance between the customer service expectations and the security team. That's from my side. Have a great day.