As a business owner or developer of an application where authentication is one of the first steps for every new and returning customer, choosing the easiest and most secure login experience is crucial for your success. Today, more and more companies are looking for the best passwordless solution that meets customer preferences for simplicity and security while addressing business needs. Even within the passwordless category, there are many types of passwordless authentication methods. Some popular options to consider:
Email magic links – Users enter their email address to get a magic link or unique code to log in, proving possession of the email address appended to their account.
SMS OTPs – Entering a phone number is required to get a unique one-time passcode to log in, proving possession of the phone appended to their account.
Biometric authentication – The gold standard of passwordless authentication, fingerprint or facial biometrics offer physical proof of the user’s identity to gain account access with an elevated level of trust.
Before making a decision on which passwordless customer authentication solution is right for you, think about the various considerations that are unique to your industry, business and customers.
Customer experience vs. security
Usually when asked if customer experience (CX) or security is more important, it’s tough for a business owner to answer because, in many cases, they’re equally important. Maybe you need a solution that gives you the best of both. The problem is most customer identity and access management (CIAM) solutions will ask you to compromise or “balance” the two as if security and CX are mutually exclusive. Having to make a tradeoff was indeed the reality until recent advances by the FIDO (Fast ID Online) Alliance. I’ll get to that, but first…
Think about the details of your business and your customers’ behavior:
The answer to the last question may feel like Sophia’s Choice, but these are the details that will dictate what kind of authentication solution is the right one for you.
For instance, if you want a more security-focused experience and aren’t worried about adding friction, you may opt to use SMS OTP, an authenticator app TOTP or magic links. Keep in mind however, all of these involve using shared secrets that can be phished, intercepted or compromised. And quite often, they are used as a second factor on top of passwords — your #1 risk that passwordless should eliminate.
If you care more about the CX and less about security, you may be content to the status quote of using passwords. I just encourage you to consider how much that’s costing you. 63% of consumers say they wouldn’t return to a website if they had fraud concerns, according to TransUnion’s 2022 Global Fraud Trends Report.
The same report shows:
These stats reveal that the mere perception of fraud risk can sway a consumer’s decision when selecting a digital service. The real question is, do you want to choose between CX and security? If you want to optimize both, look for a solution that enables in-app push notifications, WebAuthn and/or device biometrics.
Mobile vs. desktop users
Another question to ask: what are your customer’s preferred channels? Collecting the right telemetry to know where they are coming from so that you can build an optimized experience for them is critical. Plus, the more dynamic and insightful your solution is, the better. For example, your solution should know which of your customers have devices that support FIDO-based on-device biometric authentication and which ones do not.
If your customers tend to use desktop first, you may want to select in-app push notifications and/or an authenticator app TOTP. If you mostly have mobile-first customers, you may prefer OAuth, WebAuthn or device biometrics.
How essential is it for your business to collect or know a customer UID or user records? These can include phone numbers, emails and/or social security numbers. There are industries such as fintech, healthcare and travel where this information is required for the authentication flow. Point being, there are many different user record requirements that can have an impact on the authentication method(s) you offer.
App-based vs. app-less
A sophisticated solution should be able to leverage the technology your customers already have when they are registering or logging in to your domain. Namely, do they already have a client-side app downloaded to their device or are they using the web?
Here again, consider what percentage of your customers already have biometric-enabled devices.
An estimated 80% of active phones in North America, Asia and Western Europe have biometric capabilities.— Statista
Does this represent a large percentage of your customer base?
Requiring the registration to go through an app can be an extra layer of security business owners may prefer. But that extra layer also requires an extra step for the customers who must be willing to download the app. An app-less passwordless solution could lower a barrier to entry and improve your passwordless adoption rates.
Device bound vs. device agnostic
Businesses may want a solution that can automatically recognize if the customer’s particular device can be used for a particular method of registration, authentication or authorization. For added security, a business may want to require that only a specific app (one supplied by the organization) is allowed.
The next question is how does your business think about these passwordless requirements when applied across your various business segments? For example, you may work at a very large company that caters to different types of customers. Disney, for example, owns theme parks and media companies, including Disney Jr. and the History Channel. They must meet a broad range of customer preferences, ways of engaging with technology and devices customers of all ages and demographics use.
All of them have an interest in CX and security, but some lean one way more than others. Verticals, like retail and customer software, may have high priorities on a mobile apps and performance to scale for millions of customers to prevent churn. According to Google, when a page load time is delayed by 1 to 3 seconds, bounce rates increase by 32% and by 90% when the page load time takes up to 5 seconds.
B2B and healthcare, on the other hand, emphasize desktop computers (yes, they still exist) and security (always important) because of regulatory compliance and low churn rates.
Some key questions to ask:
The most efficient solution for your business will depend on your answers to the considerations above. But if you’d like to have both — better CX and security — look for a WebAuthn solution. Here’s why. First, WebAuthn, a core component of FIDO2 specifications, is a web-based API that allows you to update your websites’ login pages to add FIDO-based authentication on all supported browsers and platforms. It’s particularly important to find a solution that makes it easier for developers to make use of WebAuthn.
Transmit Security Passwordless & MFA cloud-native service provides two approaches for building WebAuthn experiences:
Discover more about how Transmit Security’s true passwordless authentication can help you eradicate or phase out passwords over time. First, you must start with a solution that can completely remove passwords from the complete customer journey.
If you lose your device, most passwordless solutions will ask you to recover your account by logging in with a password. If passwords lurk anywhere in the shadows, you’re still at risk of password compromise that leads to account takeover (ATO) fraud.