When it comes to accessing digital services, the login is the all-important front door. For customers, it’s the pivotal interaction that can make or break a good first impression and for businesses, it’s the moment at which an anonymous user becomes a known customer. It’s also the place to defend against credential stuffing and a host of other cyberattacks that target user accounts.
That said, many businesses fail to give this gateway the attention it deserves, and a lot of the time this comes down to the traditional trade-off between security and a good user experience. Typically, the more friction there is, the more people will look for shortcuts, which leads to even worse security. So, when tasked with delivering seamless login experiences against a backdrop of sophisticated credentials-based threats and large-scale data breaches, businesses struggle to strike the right balance.
However, by utilising newer authentication technologies, organisations can adopt an identity-first approach to security that still guarantees a login experience that will delight their customers.
Authentication is broken
Mega data breaches are here to stay, with millions of username and password combinations being lost, dumped, or sold online at any given time. Add this to the growing trend towards credential-stuffing attacks, and we have a major problem with authentication as it stands today.
A decade ago, we may have predicted passwords would go the way of the fax machine – but they remain the most common form of authentication online, despite their flaws. With so many more applications that users must register for and log in to, password reuse across multiple sites is surging among all but the most security-conscious users. So, it’s no wonder businesses are so vulnerable to account takeovers right now.
When a breach occurs, it impacts everybody. The average email address is now associated with 130 online accounts, so it’s likely that a significant portion of customers are using the same or similar credentials across several sites. This means, when a password gets leaked in a data breach, there’s a high chance of it being successful on multiple other online accounts that the user owns.
Earlier this month, analysis of 100,000 breached passwords from the UK government’s National Cyber Security Centre (NCSC) found easily remembered passwords such as ‘123456’, ‘qwerty’ and ‘password’ among the most frequently hacked. While repeatedly using the same, simple passwords may increase convenience for consumers, it leaves them and the businesses they interact with vulnerable to credential stuffing and account takeovers.
On the other hand, more stringent authentication processes such as complex password requirements or second device verification will put customers off.
Keeping up with the consumers
Today’s customers are increasingly pushing back on points of friction at the login. For the so called ‘Netflix generation’, simplicity and speed of sign-up and login is important. They don’t want to be slowed down. Security is also a priority as we become ever more attuned to the value of our data and the repercussions of it being breached.
According to our research with YouGov, 85 per cent of UK consumers have abandoned their registration attempt or cart due to an arduous login experience. Users here are particularly turned off by having to fill in long login or sign-up forms (48 per cent) and creating a password that meets certain requirements (47 per cent).
The study also found that users want greater choice in login technologies, and will actively seek them out. Nearly half say they are more likely to sign up to an app or online service if a company offers multi-factor authentication (MFA). Other in-demand login options included Single Sign-On (SSO) that uses a single ID and password for multiple related services, followed closely by those that demand biometrics and passwordless.
Clearly, businesses underestimate the impact a poor login or sign-up experience has on customer churn, which leads to a disappointing gap between consumer expectations and what businesses offer.
Identity = Security
The solution lies in password-less and biometric security features, which although already ubiquitous in multi-factor authentication (MFA), are sometimes sniffed at by consumer-facing businesses over concerns that they add unnecessary friction.
Fortunately, a new generation of risk-based, adaptive authentication processes can deliver both security and a frictionless customer journey. They introduce roadblocks only where needed, and without reducing user experience.
As humans, we tend to make choices based on perceived threat. When a threat goes from being abstract to real, we’re much more likely to take it seriously and adjust our behaviour to account for it. In this context, the same user that resists stronger authentication methods when there is no perceived risk will be first in line to sign up for it when the alternative was to lose control of their account. Businesses can alert a user that their password has been leaked in a data breach, and then offer to improve their security posture enrolling in MFA, without risking conversion or impacting the user experience.
As the enterprise attack surface evolves, businesses have an opportunity to deploy these adaptive authentication processes in lieu of static methods. While there is no uniform approach to providing security and usability, responding to demand for a greater selection of secure, enjoyable login processes would be a great place to start.
Therefore, identity is quickly becoming one of the most strategic investments a business can make. The key to implementing identity successfully is to view it not just as a specific solution to an issue, but as a pillar of digital transformation. Ultimately, this is about building a human-first strategy, whereby technology is adapted to the needs of people, and not vice versa.
As better, more agile authentication solutions are developed, successful businesses will act on the trend now and not be left in its wake.
Jasmit Sagoo is currently an international leader with a proven track record of successfully driving and implementing transformational Customer Success and go to market strategies, backed by 20+ years of technology and sales experience.