Session Abstract: Securing online accounts is a very challenging problem. How do we know which accounts are bots or bad acting humans? If we clean up our identities and drastically reduce the number of accounts that are reported in quarterly earnings, what will that do to our company valuation? This presentation will show how the U.S. grocery giant Kroger implemented identity threat detection and response best practices using multiple vendor-based and custom built solutions to protect more than 75 million online accounts. You will get a peek at how we answered questions like: Is identity proofing valuable for grocery e-commerce accounts? Do we need to score user provided PII? Do we use a vendor for scoring risky sign-ins, or do we custom create a machine learning model? Where and when should we add targeted friction like asking users to re-enter the entire credit card number? How do we guide unsophisticated users to enroll in MFA? And when do we prompt for step-up auth?