Friction in the user experience causes drop-off and abandonment. This problem is exacerbated when it comes to authentication because it impacts 100% of visitors and customers. 

Even the best acquisition, engagement, and retention strategies can fall short if customers struggle with registering for, logging into, or recovering accounts. Plus, known customers are more engaged and are willing to spend more compared to their anonymous counterparts. 

Getting authentication right is critical to business success and it is possible to deliver a seamless experience for customers without making security compromises. Here are three ways to decrease authentication friction while increasing access security. 

1. Eliminate passwords from your user interface and database

Passwords are the most common culprit to authentication friction. Good passwords are complex, random, and long, which coincidentally make them difficult for human beings to remember. No wonder 66% of Americans reuse passwords and 1 in 10 have been using at least one password since middle or high school. 

The fact that customers are frustrated by passwords is not news, and there’s been a movement towards implementing social logins as a solution. However, this is not ideal, because social logins simply move the security risk to a third-party account, leaving companies vulnerable to fraud, data breaches, and risk to brand reputation. What’s more, the customer may have shared their credentials or created multiple accounts to access the same application. 

Eliminating passwords is a critical first step to reducing customer friction. Doing so frees customers from creating and remembering yet another password and allows companies to prevent avoidable drop-off and churn at registration, login, check-out, and account recovery. 

To be clear, eliminating passwords is more than getting rid of the password field on your customer login page. Going passwordless, in the true sense of the term, requires removing passwords from your database completely.

When passwords are eradicated from both the customer experience and the database, you can make account takeover fraud, phishing, and brute force attacks impossible to execute. Moreover, going passwordless allows you to mitigate botnet attacks that hinge on credential stuffing attacks. After all, what doesn’t exist cannot be attacked. 

2. Strengthen security by implementing frictionless, passwordless MFA

Multi-factor authentication (MFA) is often presented as the panacea to security issues. Unfortunately, the past decade has shown slow MFA adoption on the customer side. 

In 2019, Google summarized America's attitude towards MFA as “thanks, but no thanks” with only 37% using MFA. In the same year, a usability study from Brigham Young found that only 29% of consumers agree that the second factor was worth the convenience trade-off, with 35% specifically citing that their second factor was not immediately available at login. 

Plus, there are known security vulnerabilities with legacy MFA that employ passwords as the first factor including social engineering, SIM swaps, and man-in-the-middle attacks. 

The more secure way to implement MFA is to remove passwords from the equation altogether and instead authenticate customers with two strong factors—“something you are” and “something you possess”. 

The good news is, passwordless MFA can deliver both factors in one transaction, without burdening the customer with providing proof. 

Beyond Identity delivers frictionless, passwordless MFA by working in tandem with the customer’s device to leverage the device biometric to prove “something you are”, and uses the immovable private key created and stored in the device TPM to prove “something you own”. For your customer, authentication will simply involve entering their user ID and clicking login—no second devices, one-time codes, or push notifications required. They’ll love it.

Learn more about passwordless MFA your users will love. 

3. Strategically leverage additional verification with risk-based access controls

While we’ve been speaking about customer friction as a negative thing that should be reduced, it can be a tool leveraged by sophisticated product and security teams to increase assurance in risky situations. 

For instance, you may want to introduce a controlled amount of friction when a customer is attempting to log in from an unknown location, new device, unusual time, or attempting a riskier operation like moving a large amount of money or checking a lab report.
 
A secure authentication solution should be seamless by default, while strategically asking for additional verification of a person’s identity when deemed necessary. This helps you keep legitimate customers happy with fast, secure access while giving you the flexibility to enforce stronger access controls for higher-risk behaviors and operations. 

In order to implement risk-based access controls, you need visibility into real-time user and device risk signals, configurable access policies that comply with your security requirements, and dynamic orchestration of step-up authentication to prompt customers for an additional biometric. 

Learn more about risk-based authentication.

Conclusion

It’s a myth that optimizing the customer authentication experience comes at the expense of security. In fact, effective security improvements can and should work in conjunction with making customers’ lives easier. 

The three steps to achieving frictionless and secure customer authentication are:

• Completely eliminating passwords from both the user experience and database
• Implementing passwordless MFA that authenticates customers with two strong factors without the hassle of second devices, one-time codes, or push notifications
• Introducing friction strategically with dynamic step-up authentication based on real-time user and device risk signals

Ready to get started with building a world-class authentication experience in your products? Contact our customer authentication specialists today.