When using online services or mobile apps, people have high expectations for a smooth user experience and little patience for anything that might slow them down. Software teams recognize this and do everything they can to reduce user friction. However, protecting services from bad actors is also an imperative, and many solutions introduce friction into the customer experience in addressing this. Teams have to make a tough call between securing their service vs. putting up barriers for their legitimate users. We believe there is a better way, one that increases security while improving the customer experience.
After 9/11, the airline industry needed to figure out how to step up airport security. At first, new and onerous screening procedures were put in place. This made air travel more secure, but it came at a high cost to frequent travelers due to the friction that was added to every flight. People did feel safer, however the added hassle made it much less appealing to fly. The TSA realized this and introduced PreCheck, which allowed “trusted travelers” to essentially be pre-screened for risk. A few years later, a commercial company called Clear came out with an even better service that reduced wait time and hassle even more. Now, when you go to an airport, you are presented with three security lines - the regular line which is slow and heavily screened at the airport, the TSA PreCheck line which is faster due to pre-screening, and the Clear line which is the fastest yet due to pre-screening and biometrics.
As a PreCheck or Clear customer, the steps you take to enroll and participate in these programs, along with your behaviors leading up to your travel, let you bypass the long security wait times, resulting in a more preferable, VIP travel-type experience. Being that so many interactions are online these days, doesn’t it make sense to apply these same principles?
We think of online friction as anything that slows down a person’s interactions with your service. You may have activation and conversion points where a user can sign up, log in, make a purchase, etc. With each of these conversion points comes a need and an opportunity to determine how much security friction should be applied. On one side of things, you may think that minimizing or removing friction altogether will allow for the best user experience. Sure, this may make sense from that perspective, but without having any security in place, you run the risk of allowing bad actors in. On the other side of things, you may want to ensure the safety and security of your service, perhaps by always enforcing some sort of multi-factor or step up authentication flow. While that would increase account security, it also heavily impacts user experience, as no user prefers the hassle of submitting another factor of authentication every single time they try to interact with your website.
The challenge is determining when and how to secure things while impacting the user experience as little as possible. In cases where your users have established themselves and their identities through their interactions and behaviors, much like the TSA PreCheck and Clear scenario, doesn’t it make sense to put them on a VIP user experience track? In other words, if you could trust that people are who they say they are, wouldn’t you skip the unnecessary verifications?
Let’s explore a few of the common “entry” points for users into your online business.
Signup forms are a valuable way for businesses to not only gain understanding of who their customers are, but to also engage with them and build relationships. Being an initial entry point to many websites and applications, signup conversions are a priority of focus for businesses and in parallel to that, are also a high target for fraudsters. Without any security friction at signup, the user experience is great, but it’s also great for bad actors that are committing junk and spam registrations. This results in bad data, skewed analytics, and can even impact the bottom line. In an attempt to address this, friction is often introduced in the form of a CAPTCHA. While some CAPTCHA solutions are low friction and simple to solve, such as Google’s reCAPTCHA, this lowers their effectiveness, especially with the growing number of solutions that can crack these CAPTCHA challenges. Other CAPTCHA solutions are more sophisticated, and do filter out the bad traffic, but they substantially increase friction and are a major barrier to entry for legitimate users.
Similar to signup endpoints, login endpoints are also highly targeted by fraudsters. With so much information shared online, it is relatively easy for bad actors to gain access to leaked or stolen credentials. Once this data is in hand, credential stuffing, which is the act of testing credentials on a website (or multiple websites), takes minimal to no effort. For attackers, credential stuffing is an easy, low cost activity that can lead to a high potential payout. Once valid credentials are identified, accounts can be taken over (ATO). Criminals can then log in, change account details, obtain sensitive information, and commit fraud. At this point, an organization incurs not only the loss of trust of its users, but also potential financial loss.
There are numerous ways to protect and restrict login abuse, but just like with signup, the difficulty is introducing these restrictions without negatively impacting legitimate users. At first glance, an IP block list or rate limiting policy may seem like a quick and dirty solution for these high frequency login attempts. However, attackers often use bots to carry out credential stuffing and now that these attacks are highly distributed, these rules are no longer effective. A login endpoint can also be protected by a multi-factor authentication flow for every login attempt from every user, and while that results in a high level of protection, it leads to a low quality user experience. As an end user, constantly facing these types of authentication flows can lead to less user engagement and even account abandonment. This is where that VIP level of service is the most important, since users will typically log in many more times than they’ll sign up.
A final area of security friction comes when an account has been taken over by a bad actor. The dark web is full of compromised username/password lists, and fraudsters have gotten pretty good at phishing for credentials. What happens when a user’s password has been stolen and they need to reset their account? This can either be a painful process, or it can be a smooth one. While the frequency of a compromised account will be much less than login and signup, having it happen to someone is stressful and could damage the perception and reputation of your service, especially if the rectification process is onerous.
Making it simple
Balancing security considerations against customer experience considerations can be a dilemma. There are many questions that need to be answered, including:
- What type of friction is appropriate for different scenarios?
CAPTCHA, SMS, E-Mail, Token, Biometric?
- When should friction be introduced in a workflow?
Legitimate user behavior, anomalous user behavior, malicious user behavior, bot behavior?
- Where should friction be applied?
Registration, login, password resets, profile updates, transactions?
Castle’s API service takes into account all of the above and allows organizations to better understand their users, their devices, and their behaviors when interacting with the online service. With an understanding of user patterns and behavioral norms, Castle takes the guesswork out of the what, when, where, and how and gives you the insight into what’s going on. With only a few lines of code, your website can be protected and Castle can be delivering a risk based assessment on when to introduce friction across your application. We’re here to make it easier for you to protect your users while giving them the VIP experience they deserve.
If you're looking to get a head start on bettering the user experience for your users while still ensuring their security, sign up for a free trial here.