Notifications
Clear all
Topic starter
06/06/2026 1:39 am
TL;DR: Retail authentication now has to follow customers across mobile apps, kiosks, loyalty systems, and connected devices, with 73% of consumers shopping across several channels during the buying journey, according to Descope. Static login pages no longer match omnichannel retail journeys, where device trust, risk signals, and cross-channel session continuity determine both conversion and account security.
NHIMG editorial — based on content published by Descope: The Power of Descope Flows for omnichannel retail authentication
By the numbers:
- 73% of consumers shop across several channels during their buying journey.
Questions worth separating out
Q: How should security teams handle authentication for shared retail devices?
A: Security teams should move shared-device authentication away from direct credential entry and toward second-device approval, QR-based session initiation, or other trusted-device flows.
Q: Why do retail environments need adaptive authentication?
A: Retail environments need adaptive authentication because customer risk changes across device type, location, behaviour, and transaction value.
Q: What breaks when authentication is still designed around a single browser session?
A: Single-session authentication breaks when a customer moves between web, mobile, kiosk, and loyalty touchpoints without losing context.
Practitioner guidance
- Map the retail identity journey end to end Document every place a customer can authenticate, resume, or elevate a session, including mobile, web, kiosks, loyalty apps, and support flows.
- Separate shared-device initiation from trusted-device approval Use QR-driven or equivalent second-device approval patterns for kiosks and other keyboard-limited environments so the public terminal only starts the flow.
- Apply step-up controls to high-risk retail actions Require additional verification for payment changes, reward redemption, high-value purchases, and unusual device or location patterns.
What's in the full article
Descope's full blog covers the operational detail this post intentionally leaves for the source:
- Visual walkthrough of the Flows builder for passwordless, MFA, and device-authentication journeys
- Step-by-step kiosk QR approval sequence with session validation and token handoff
- Example integrations with payment providers such as Stripe, Square, and Plaid
- A/B testing flow examples for comparing login methods, MFA timing, and onboarding paths
👉 Read Descope's analysis of omnichannel retail authentication flows →
Omnichannel retail authentication for kiosks and mobile sessions?
Explore further
06/06/2026 2:53 am
Omnichannel retail authentication is now a journey problem, not a page problem. The legacy assumption that identity ends at a login screen no longer holds when customers move across mobile, web, kiosks, and connected devices in one shopping session. That creates governance pressure on session continuity, device trust, and claim portability, because the authentication boundary is now distributed across channels. Practitioners should treat the journey itself as the control surface, not just the application entry point.
A few things that frame the scale:
- 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems (39%), inappropriately sharing sensitive data (31%), and revealing access credentials (23%), according to AI Agents: The New Attack Surface report.
- Only 44% have implemented any policies to govern AI agents, leaving the majority of deployments outside explicit control boundaries.
A question worth separating out:
Q: What is the difference between passwordless login and cross-device authentication?
A: Passwordless login removes the password from the authentication step. Cross-device authentication goes further by allowing the identity journey to begin on one device and complete on another, often with session approval on a trusted mobile device. Retail teams usually need both, because eliminating passwords alone does not solve shared-device checkout or session continuity problems.
👉 Read our full editorial: Omnichannel retail authentication is shifting beyond single-session login
