For any service or retail organization, the most important thing to maintain — and the hardest thing to regain once it's lost — is consumer trust.Customers need to believe that an organization's products or services are worth buying, but they must also be sure that the organization properly protects their personal data. No one wants to do business with a company that routinely mishandles customer contact information or credit-card numbers.In online interfaces, the front line of maintaining trust is a customer identity and access management (CIAM) system. It handles customer registration, login, and account management, including personal information.CIAM is what challenges you with a CAPTCHA when you're signing up, sends you one-time passcodes when you're signing in, and shows customer-service agents your account profile when you call in about a problem.
But keeping customer information safe while maintaining convenience is a balancing act. Making customers jump through hoops when they create accounts or log in will send many elsewhere. Yet customers themselves worsen the problem by reusing passwords, raising the risks of account compromise.Customers also have a deep antipathy against dealing with AI, especially customer-service chatbots and answering services. That's according to a new survey conducted for CIAM provider Auth0's 2025 Customer Identity Trends Report.Of 18 different demographic slices arranged by nationality, age, and attitude toward technology, not one preferred interacting with an AI agent instead of a human customer-service agent. For Baby Boomers, the ratio against using AI was more than 40-to-1."A significant disconnect remains between what businesses want AI to do and what many customers are willing to accept," notes Auth0 President Shiven Ramji in a blog post announcing the release of the report.He added that "60% of survey respondents are concerned about the impact of AI on the privacy and security of their digital identities."The survey found three main issues relating to customer trust: poor password hygiene and its effects; too much security-related friction in user registration and logins; and an almost complete lack of trust in AI-based customer service. Fortunately, there are ways to mitigate each one.
Passwords aren't getting any better
It's 2025, and most people still create weak passwords, reuse those passwords, and never change their passwords unless they are forced to. In the Auth0 report, 68% of all users admitted to sometimes reusing passwords.Younger respondents seem to reuse passwords the most: 25% of Gen-Z respondents said they used one password for all their accounts, while only about 7% of Baby Boomers did.Older users are the least likely to reuse passwords, according to the Auth0 survey, with 42% of Baby Boomers claiming to use nothing but unique passwords — although that's still a minority even in that age cohort.Slightly more than half (51%) of all respondents said they generally used different passwords for different accounts, but admitted that they were slightly altering a small set of stock passwords to create barely unique variants.Nearly three-quarters of respondents (73%) in the Auth0 survey felt passwords were convenient. Respondents also thought passwords were more secure than hardware security keys, which they rated last in convenience. Only fingerprints and facial recognition were considered more secure than passwords."Using a method more frequently makes it feel more familiar — and greater familiarity influences opinions regarding convenience," the Auth0 report notes.Yet sloppy password usage is behind most account-takeover attempts, the Auth0 report stresses. Reused, short, simple or overly long-lived passwords make it much easier for miscreants to carry out brute-force, credential-stuffing and password-spraying attacks.In 2024, about 17% of all login attempts across the widely used Auth0 platform were deemed to be fraudulent, the report states. The rates were highest, as you might imagine, for online retailers and financial institutions.The overall rate was a bit down from 2023, but the persistence of the problems created by poor password hygiene makes clear that the issue won't go away unless people get better about using passwords.Here's a pro tip: They never will. Two decades of badgering users to create better passwords and use them wisely has barely moved the needle. People just aren't listening.So if we can't make people stop using passwords badly, then maybe we can make passwords less important, or even phase them out altogether.The Auth0 2025 Customer Identity Trends Report recommends that online retailers and service providers gently move consumers towards:
Passkeys based on smartphone biometrics and embedded secure elements
Social logins, which the report characterizes as "essentially single sign-on (SSO) for consumer apps"
Biometrics, especially the familiar facial and fingerprint recognition found on smartphones
Adaptive/dynamic multifactor authentication (MFA) that takes context like impossible travel into account
Step-up authentication for when extra authentication is called for, "e.g., a user may be prompted for additional authentication when attempting to alter account information or retrieve a sensitive document."
"Traditional security approaches (like a simple username-and-password combination) are clearly failing," Ramji told us in an interview. "Organizations need to adopt and enforce the latest identity technology, whether that's MFA, passkeys, biometric security, or even SSO."Passkeys stored on smartphones or laptops may be the ultimate solution to replacing passwords, but they're a hard sell to older users who are already resistant to methods like MFA.It's the younger users, the ones who happen to be the most careless with their passwords, who are most receptive to passkeys and social logins. Fifty-five percent and 58% of Gen-Z users rated each of those more modern authentication methods, respectively, as convenient in the Auth0 survey."While passkeys are new enough to be unfamiliar to many users, more than half of Gen-Z and Millennial respondents consider them to be convenient," the report says, "suggesting that this more secure authentication method has a bright future."
Reducing the friction
Due to poor password hygiene, companies must try to prevent account takeover by challenging users to verify themselves using methods like MFA. That's often clunky and frustrating for legitimate users.The initial account-registration process can be even more frustrating, with long forms to fill out, CAPTCHAs to solve and emailed verification links to click.This "friction," as it's called, makes it harder for miscreants to break into accounts or create fake new ones.There's clearly a need: In 2024, nearly half (46%) of account-registration attempts across all Auth0 clients were deemed fraudulent. For several months, the ratio of fraudulent to legitimate registration attempts on retail and e-commerce sites was 120-to-1. But friction takes a toll by turning off potential customers. In the Auth0 survey, 40% of all users admitted to abandoning an online purchase process due to signup or login friction. Surprisingly, younger respondents were the most likely to ditch a purchase for these reasons.And in fact, even though 64% of survey respondents said they worry about identity fraud, more respondents (62%) found long signup/login forms more annoying than providing sensitive data (52%)."Customers want frictionless, personalized, and instantaneous experiences when logging into apps and making purchases," the Auth0 report says. "At the same time, they want to control what data they share, and they want appropriate security controls in place to protect that data."So how can an organization cut down on friction while maintaining security? One of the better ideas, the report notes, is "progressive profiling."Rather than making a customer fill out a long form detailing their entire life story during account registration, personal information can be gathered gradually as the customer keeps coming back."Asking for a little bit of info over time as you use the service more," Ramji says, "reduces that initial hassle."Ramji also recommends being frank and clear with customers about why certain kinds of personal information are needed, how your organization will use that information, how it will protect the data — and how better authentication methods will help."Use intentional, carefully chosen language that frames MFA, passkeys, or biometric security in a positive light, emphasizing how it empowers users to maintain control and safety over their personal information," Ramji says.
No one likes talking to a robot
The biggest surprise in the Auth0 survey results is how many consumers really, really don't like talking to AI.The negative responses were so great that rather than showing the percentages of how many people preferred to interact with a human customer-service agent over an AI one, the report instead charts the ratio of pro- and anti-AI preferences.Every single geographical, attitudinal or generational cohort said they would rather interact with other humans, ranging from ratios of 1.1:1 for Indian residents and "tech innovators" to 41.5:1 for Baby Boomers and 16:1 for "tech avoiders." The average human preference ratio was 4.4:1.Age-wise, Gen Z was most comfortable with AI, exhibiting only a 2.3:1 preference for humans. Canadian residents were least comfortable with it among countries, at 9.2:1."Across the full respondent base," the report says, "86% expressed a preference one way or the other, with 70% favoring interacting with humans and 16% favoring AI."People who, well, preferred people agreed with statements that AI didn't understand humans (64%), could be frustrating to deal with (38%), was untrustworthy (29%) or just inexplicable (22%). Those few who preferred AI said it responded more quickly (55% of that subset), let humans avoid human interaction (53%) and represented the future (51%).Broken down by task, AI got the most amounts of trust for performing language translation, collecting data or assisting with writing — tasks that Google Translate, Google Search's AI and ChatGPT perform millions of times every day — but even then, the trust levels were below 40%.Those tasks were followed in the trust rankings by data analysis, creative tasks, task automation, shopping suggestions, and schedule and calendar management, all of which the AI industry is putting forward as use cases. Yet only between 26% and 21% of survey respondents said they would trust AI to do those jobs.Perhaps most damningly, 23% of all respondents agreed with the simple statement, "I would not use AI agents.""Fully 60% of survey respondents reported being either very concerned or concerned about AI's impact on the privacy and security of their digital identities" the report said. "In every cohort examined in this study, a majority of respondents expressed concern."Clearly, the AI industry, and more specifically the online retailing and service industry, is facing a trust problem as it tries to move customer-service operations toward AI.How can you get your customers to trust AI agents? Auth0's survey results hint that it might be an uphill battle.The survey asked respondents what might increase their trust in AI agents. The most-selected response was human oversight of AI decisions, with an average of 38% support.That was followed by transparency about how the AI reaches its conclusions (34%) — which might be tough as many AI models are opaque "black boxes" — making sure the AI follows ethical guidelines (33%) and AI accountability for mistakes or harm caused (31%).But no tech-attitude cohort in the survey, even the "tech innovators," showed even 50% support for any way in which AI might gain their trust.There was one interesting outlier in the trust-method rankings: "Gen-Z was the only age cohort not to have human oversight at the top of their list; instead, 'The AI agent follows ethical guidelines to ensure fairness, privacy, and security' led the way with 37% support."That's perhaps offers a toehold of hope for service providers and retailers who would like to have AI take over at least some of their call-center tasks. Gradual familiarity and generational change will certainly contribute to AI acceptance, but Ramji is bullish that transparency will accelerate the process."Transparency, ethical behavior, and accountability measures are essential for growing user confidence in AI," he told us. "For organizations, this means prioritizing security and ethical guidelines from the beginning when deploying AI agents and clearly communicating these efforts to users."As a CIAM company, Auth0 also stresses the importance of using strong identity safeguards, even as the report notes that "as developers are under immense pressure to get AI agents to work, AI applications are being built and deployed without Identity and Access Management (IAM) controls."The report lists "four critical requirements where identity is crucial":
Authentication: AI agents "must be able to authenticate users just like any other application"
Vaulted, secured (not hard-coded) access tokens for AIs to work with APIs
Asynchronous user confirmation because many AI tasks take a long time to complete
Least privilege: "AI agents should only get the permissions they need, nothing more."
Regardless of whether retailers and service providers are ingesting your data, giving you access, or having you "talk" to an AI customer-service agent, Ramji stresses that maintaining customer confidence is crucial."The key for organizations is to be transparent and upfront about why they need your data and how they're protecting it." he said. "It's all about earning and keeping that trust."
Paul Wagenseil is a custom content strategist for CyberRisk Alliance, leading creation of content developed from CRA research and aligned to the most critical topics of interest for the cybersecurity community. He previously held editor roles focused on the security market at Tom’s Guide, Laptop Magazine, TechNewsDaily.com and SecurityNewsDaily.com.
The new 1Password Environments MCP Server for Codex establishes a secure runtime environment where secrets are mounted, utilized, and then discarded after use, requiring user authentication for each access.
