3 considerations for building an effective intelligent friction strategy
By Michelle Hafner, chief operating officer, NuData Security
You don’t expect to have to answer a security question or provide a one-time password (OTP) when you log in to your food delivery service account to order an $8 pizza. On the other hand, you probably do expect additional authentication measures when you log in to an account that stores sensitive information, like your healthcare account.
This is an example of intelligent friction — step-ups that are intentionally and strategically triggered to verify a user’s identity. By balancing user experience (UX) and security, you can protect customers’ information without burdening them with default authentication measures. There’s no one-size-fits-all approach to intelligent friction, but it’s an important component of security since it can have far-reaching effects on your bottom line.
Why friction can sometimes be a good thing
When logging in to any type of account, it’s important for users to prove they are who they say they are — that’s how you keep their personal information secure. And protecting customer data is just as important for you as it is for them. In addition to reputational damage, the average real-dollar cost of a breach rose by nearly 10 percent year over year — the largest y-o-y increase in the last seven years.
But let’s face it: Friction along the user journey can also frustrate users and sometimes even drive them away. More than 80 percent of consumers have abandoned their cart or sign-up attempt as a result of a burdensome login process.
Fortunately, organizations are becoming increasingly sophisticated in terms of making that friction intentional and customized rather than standard for every user — because for certain accounts or situations, friction is a good thing. Consumers tend to agree with this way of thinking. A majority of individuals rated security as “very important” to their accounts.
There isn’t a standard practice when it comes to protecting users’ accounts, but there is a lot to consider when establishing an intelligent friction strategy. Ultimately, it all comes down to striking the right balance between security and providing a positive UX.
How to use intelligent friction to improve authentication
Intelligent friction is an automated user verification process that adapts the level of friction to how trusted or risky the user is perceived to be — and it can both benefit your bottom line and improve your UX.
By protecting the accounts that matter the most with a customized, intelligent approach, you avoid the costly ramifications of data exposures and breaches. Conversely, your users will enjoy the customized experience and build trust with the brand.
Consider these three tips for creating a strategy that triggers the right friction in a user’s journey:
- Assess the context. Certain accounts contain sensitive information about users while other accounts only have information like a user’s name and address. You must evaluate the value and risk of each account you manage, determining whether the pros of additional authentication outweigh the cons of a bad actor gaining unauthorized access to the account. For something like a healthcare account, it’s a good idea to err on the side of caution with security. However, if you’re dealing with a user’s food delivery service account that appears to be low risk, you can probably hold off on implementing additional authentication measures to let them get their morning smoothie.
- Consider UX. In addition to identifying the context and risk of a company’s users’ accounts, you should place yourself in their users’ shoes to determine the appropriate level of friction they would accept in a given scenario. As a user, you want added friction if it means your healthcare or sensitive financial data will be kept secure. But is it really worth it to fulfill an additional step-up to mobile order a $4 coffee? In that scenario, you would probably just head to a different coffee shop or make coffee at home. If there are alternatives — or rather, if something is easy to not purchase — companies tend to accept a certain level of risk to avoid losing sales as a result of a poor UX. Considering companies lose billions of dollars in sales from false credit and debit card declines every year, prioritizing UX can be a healthy decision for some retailers’ bottom lines.
- Tailor step-ups to each type of threat. Not all threats are created equally, so your authentication measures shouldn’t be, either. Let’s say you trigger a CAPTCHA each time suspicious behavior occurs. This method will trip up many bots; however, if the threat is a human bad actor typing in someone else’s credentials, they can easily complete the CAPTCHA, making your fraud prevention technique useless. Instead of this blanket approach, deploy sophisticated security tools that can identify the type of risk. If it is a human trying to gain unauthorized access, you can trigger a step-up that will actually stop them in their tracks — like an OTP.
There isn’t a strict set of rules to follow when building an intelligent friction strategy, and it’s going to look different for every organization. As long as you consider your business goals, your UX priorities, and the risk of the account at hand, you can make a strategic decision about the right amount of friction to insert into a user’s journey.
About the author
Michelle Hafner ia a Senior Product executive with expertise in identifying and building innovative Cyber and Intelligence solutions. She is currently the COO of NuData Security, a division of Mastercard.
DISCLAIMER: Biometric Update’s Industry Insights are submitted content. The views expressed in this post are that of the author, and don’t necessarily reflect the views of Biometric Update.