To Balance Security and User Experience, It’s Time to Move Beyond Just MFA
Online shopping is easy. It’s part of what makes e-commerce tick and why, perhaps, it’s an $871 billion industry in the U.S. The simple convenience of adding things to your digital cart and checking out, often with free delivery and returns, makes up for the inability to see, hold, and try on items before buying.
Given this convenience, many online retailers hesitate to throw security blockers between a willing purchaser and the final sale confirmation. Those that do risk scaring a shopper away, but those that do not also take significant risks when it comes to the security of their customers and their bottom line.
While multi-factor authentication (MFA) has become a part of daily online life for consumers, it’s not always a welcome one. With every other website sending a user to their email or phone to regurgitate a random string of numbers and confirm they’re really who they say they are, the security feature can sometimes feel like more of a hassle than it’s worth.
The reality is that retailers are leaving a lot of money on the table with their security. On one hand, they could be putting up MFA checks that can cause people to abandon their cart or ask returning shoppers to log back in to complete their purchase. Even without MFA, online shoppers abandon 69.82% of all carts. Two of the top five reasons: account creation requirements and checkout processes that take too long or are too much of a hassle. Add to that the frequency of false-positive credit card declines and you’re throwing roadblocks that may prevent a sale.
How many times has the excitement of a new phone or computer been dulled by needing to re-confirm your device at all of your usual sites? What if you’re logging in from a new location, or don’t remember your password — or, the nightmare scenario, lost access to your primary phone number or email address used for verification? At a certain point, having to use multiple devices or platforms just to get through a checkout will send people offline and on a trip to the mall, or to a competitor’s site.
On the other hand, to avoid that checkout friction, some retailers disable MFA procedures, calculating chargebacks as a cost of doing business, or even using a vendor that covers the chargeback cost in the event of fraud. This might speed up the checkout process, but that customer goodwill is going to evaporate pretty quickly when those retailers’ lax security measures let fraudsters through and those customers have to deal with hacked accounts. This is a major financial liability for a retailer.
So what can online retailers do to thread the needle between security and user experience? With advances in identity intelligence, there are better, more seamless ways out there to check if someone is who they say they are; and you can always send them to an MFA check to be sure. But here’s why we shouldn’t rely on MFAs as the sole way of authenticating users anymore, and how new technologies can keep users (and retailers) secure without getting in the way.
To Authenticate or Not to Authenticate - A Dilemma
The online shopping experience for users has been streamlined so effectively in so many areas that when a request to authenticate comes up, it can prove a significant stumbling block for shoppers. I ordered from here last week, a customer might think. Why do I need to go into my email to get a verification code? It’s like a toll booth on the highway; we know we need to do it, but it’s really irritating to slow down there, adding more time to our destination.
Meanwhile, networks that allow for live and historical behavioral analysis data to be checked by online retailers can confirm if that user’s online behavior is consistent with their usual activity, and if so, it lets them pass so they can complete the checkout process without slowing down—like an E-ZPass or other automated toll collection system, if we’re still on that metaphorical highway. This level of trustworthiness can not only apply to the authentication phase but can also reduce false-positive credit card declines - commonplace in Card Not Present situations, which defines most online purchases.
It Utilizes Stagnant Data
Most authentication, address verification or transaction systems use data that doesn’t change often. These can be data points like home addresses, phone numbers, email addresses, and so on. The thing is, most of that information has been compromised already (remember the Equifax breach?) or is available with just a little bit of online sleuthing. That data is probably circulating on the dark web, making it ineffective as a tool in proving someone’s identity.
But if we return to the data networks of today, where users can be verified (or labeled a potential fraudulent actor) based on the main data vectors of device, network, geography, and activity, all of that old, stagnant data isn’t enough to trick these systems. The network can tell if a customer is behaving in their normal patterns (i.e., it’s actually them) before they even get to the retailer’s website. If so, a frictionless pass-through checkout is on the menu enabled by longer sessions in-between visits (the user remains logged in) or by providing more password attempts than untrusted users before a reset is required. If not, an MFA authentication can be thrown in the way of the potential fraudster and do its job.
It’s No Way to Treat Your Loyal Customers
Beyond simply being a roadblock slowing down the process, it’s a pretty poor user experience for loyal customers when they have to log back in or even worse receive an MFA challenge despite all their routine activity. For example, one common trigger is logging in from a new device. Maybe they’ve been a shopper with an account at the retailer for years, have the store app installed on their phone, and have even built up an impressive amount of reward points. Maybe they’ve given hundreds–or thousands–of dollars to the company. It can be pretty insulting for them to have to confirm their identity over and over, and can be a big impediment to future loyalty growth especially as that merchant pours money into customized customer experiences.
But if the real-time data around that user confirms that they’re who they say they are, no further authentication is necessary. They can get on with their transaction and the rest of their day while the retailer is practically holding the door open for them, a kind gesture that will be remembered and will add to the overall experience of shopping at that company.
While real-time activity data for users has generally only been used at a scale accessible by internet giants, today’s identity networks use new, dynamic types of data to better identify valid customers and allow retailers and e-commerce companies to provide a secure, frictionless checkout experience. Having to choose between user experience and security can be a thing of the past, after all, identity IS the experience.
As the founder and CEO of Deduce (www.deduce.com), Ari Jacoby is a successful serial entrepreneur and thought leader who’s on a mission to democratize access to critical fraud data after spending nearly two decades bridging the intersections of data, privacy, and security. Prior to founding Deduce, Ari led companies including Solve Media/Circulate (acquired by LiveRamp) and Voicestar (acquired by Marchex), to successful exits. He is now dedicated to protecting businesses and their consumers from identity fraud threats while simultaneously creating more secure, frictionless experiences. Ari attended Georgetown University, where he received a BA in Government & Economics. Follow Ari on LinkedIn or Twitter at @arijacoby.