Table of Contents

No Compromise: Tradeoffs Between Security and Customer Experience Are Not Acceptable

How many times have you been asked to create a complex password when registering as a new user on a website and found yourself wondering, “Is this really worth the time and energy to create this account?” The act of creating a password is just one of many security steps that most sites or apps force us to take that neither establish strong protection nor delight us as customers. Instead, it creates friction and often leads to abandonment.

Of course, there are other examples. Sites layer on one-time passcodes, magic links or ask us to answer out-of-wallet questions (e.g., who was your favorite school teacher?), all because passwords fail to provide strong security in the first place. Too many sites repeat these steps with subsequent logins and again when users perform certain tasks, like updating their account profiles or executing large financial transactions. And yet these additional steps are nearly as insecure as the reusable passwords they were designed to augment.

Some sites take an alternative approach by using social logins (e.g., login with Facebook or Google), which are a form of what’s known as “bring your own identity” (BYOI). This makes registration and login much easier, but because the level of assurance provided by BYOI is usually low, it is often paired with measures similar to those used with passwords: OTPs, out-of-wallet questions, and so on.

Of course, the worst user experience is one where a customer’s account has been compromised or their private information has been stolen. The steps your customer must take to recover from this breach of privacy and the costs they (and later you) must pay are quite steep. Account takeover must be prevented.

The lesson is that poor security leads to poor user experience, high abandonment rates, low rates of conversion (i.e., revenues), higher costs of operation, and diminished engagement and brand loyalty.

Alternatively, good security can be much more seamless and efficient and help you deliver a delightful customer experience. Indeed, we believe that good security must be nearly seamless, and therefore results in a better experience. Here’s why: the more your security relies on the user, the more prone it is to failure and the more intrusive it is for your customers.

It’s time to stop compromising between security and user experience. There is no balance to be struck with this compromise. Instead, good security leads to good user experience.

How to fortify security and improve CX?

Let’s start with account registration and authentication. One of the best things you can do is stop asking users to create passwords. Passwordless authentication, especially when based on the FIDO2 standard where customers use their device biometrics to log in to your site, is not only far easier to use, but it’s much more secure. It’s the best example today of a no-compromise approach to security and UX. It’s not only easy to use, but it makes user registration a breeze, so you’re likely to see far fewer abandonments during signups.

How about when a user comes back to your site later on? With proper protection, you can trust the session that had been established earlier by your customer. For many sites, session cookies alone aren’t secure enough because they can be stolen and the session hijacked. With integrated and continuous fraud detection, you monitor trust and risk signals, such as the device fingerprint or the velocity of travel for the device. For sessions where the trust is high and the risk is low, you can continue to rely on the session cookie. No need for your customer to re-authenticate.

What about step ups?

Step ups are often required for account changes or large financial transactions. Here again good protection can eliminate user friction. Continuous risk assessments can determine when there are risk factors that truly warrant a step up such as re-authenticating. It can terminate sessions that appear to be hijacked, when bots are detected or when a remote access trojan (RAT) is installed on the user’s device. For users where the device remains trusted and other factors point to high trust and low risk, your site no longer needs to inconvenience the user with a step up.

Why hasn’t every business employed this approach?

Frankly, until now it’s been really hard to do. First, enterprises had to invest separately in all of these technologies: passwordless authentication, online fraud detection, a compatible user store and more. They had to have the knowledge to stitch them together without destroying a good user experience. And they had to have an orchestration product to enforce their policies and guide the user journeys. This approach is difficult to build, expensive to maintain and operate, and dramatically slows innovation due to all the moving parts.

How we’ve solved these problems

Our approach was to build a modern, developer-friendly SaaS platform with modular and integrated identity security services, including passwordless and multifactor authentication options, digital identity protection services, an extensible user identity store with authorization and user management features and embedded orchestration focused on enabling easier user journeys. This is the Transmit Security CIAM Platform and is used by Fortune 500 companies, medium-sized enterprises and startups alike to create secure and delightful customer experiences.

We work every day to follow this principle — that good security must provide a better user experience — in everything we build and deliver at Transmit Security. Our vision is a world where businesses no longer compromise between ironclad security and exceptional customer experience. This vision can be a reality, so long as you refuse the tradeoffs that we’ve become so accustomed to accepting.

Author