- Enterprise customers consider security the most important requirement of digital services.
- Developers often overestimate their ability to provide convenient, secure customer experience.
- Biometrics offer the most convenient user experience, but face unresolved privacy and security challenges.
Security logins have become one of the unavoidable hassles of daily life. Whether by typing usernames and passwords, entering confirmation codes, answering secret security questions, tapping on fingerprint readers, or using facial recognition apps, the time and effort is not trivial. The average worker, according to research by LastPass, juggles 191 passwords linked to all the business applications needed to do her job.
While everyone understands the need for good security, the bar is rising on how well it needs to be integrated into digital customer experiences. Customers today won’t tolerate loose security standards. Of 6,500 consumers surveyed for Experian’s 2020 Global Identity and Fraud Report, nearly two-thirds said security was the single most important requirement in a digital service. Convenience came a close second.
On the other hand, consumers who find a digital service easy to log into will use it 10 to 20 percent more than customers who get frustrated, according to McKinsey research, and will spend more money as well.
Many companies are struggling to strike a good balance. For example, 95% of businesses believe they do a good job of consistently identifying and recognizing digital customers. But 55% of customers say they feel the opposite, according to Experian’s 2020 Global Identity and Fraud Report.
Not only do many customers remain frustrated by impersonal or inconvenient authentication processes, they’re not even getting improved security: 57% percent of the companies in the Experian survey said they had suffered more fraud than the year before.
Security under the hood
Of course, the goal is to have a balance of better security and convenience, not worse. One way to accomplish that in the realm of conventional logins is to implement additional layers of security that customers can’t see, says Ethan Fast, co-founder and CTO of cyptocurrency platform Nash.
For example, Nash’s engineers found a way to use each subscriber’s password to encrypt complicated “private keys” needed to log in and trade on a crypto service, without requiring Nash to store that data itself. By simply remembering their password, customers get the additional security benefits of private keys. “You have to wrap security in what people are already familiar with,” Fast says.
End-to-end encryption is another way to safeguard data without frustrating users, says Fast. Messaging services such as Apple’s iMessage and Facebook’s WhatsApp use this approach, which protects customer data as it ping-pongs between a person’s device and vendors’ servers. “People don’t even notice it,” says Fast.
Voice authentication is a newer discipline with its own set of tradeoffs. Voice-activated services, such as those powered by Amazon’s Alexa or Google Home, offer unprecedented convenience. But thanks to stories about these services recording private conversations and sending them to a random contact, they also raise concerns. Developers must devise processes to authenticate users without requiring them to yell out their username and passwords.
One common workaround is to link the voice interface to a user account that has already been properly secured, says Eric Turkington, strategic partnerships VP for RAIN, a consultancy that helps businesses build conversational AI applications. For example, RAIN built an Alexa “skill” for Starbucks that customers can use—provided they are logged into the Starbucks mobile app—to reorder their “usual,” check account balances, and other tasks.
Similarly, TD Ameritrade recently enabled customer trading using Alexa. The service uses voice-based user authentication, and clients confirm trades by speaking a four-digit PIN code they’ve chosen.
Not only do many customers remain frustrated by impersonal or inconvenient authentication processes, they’re not even getting improved security.
Even more mature biometric technologies, such as fingerprint and facial recognition systems, present complications that have yet to be fully resolved, particularly around privacy. While biometric authentication has become commonplace (86% of companies will offer some form of biometric authentication by 2022, according to one study), 60% of IT pros worry about the lack of transparency around system vulnerabilities and want more information on where and how data is stored.
While there is no universal formula for a great, secure customer experience, security pros and UX developers we interviewed agreed on a couple of rules of thumb:
1. Collaborate early on security
It’s difficult to create an experience like TD Ameritrade’s without having developers and security experts collaborate throughout the development process. “Engage early with the security team,” says Brian McLaughlin, chief experience officer for payment technology firm Bottomline Technologies. “They’ll have good ideas about making the customer experience safer, and it’s better than springing your app on them later.”
To ensure this collaboration happens, companies can even make it part of employee compensation goals. “If you’re at a startup, your product team might not be incentivized to think about security, especially if you need to be moving fast and being responsive to what customers want,” Fast says. “But to ignore security will hurt you.”
2. Use design to inspire trust
It’s not just what developers do behind the scenes that makes security seamless. They can also use design to overtly make users feel more secure.
“The visual design of security is very important,” McLaughlin says. “When we bring in our UX designers to create a B2B experience, we explain that we need a design that emanates trust.” That means creating an experience that is “predictable, understandable, and correct” for the type of people who will use it. Accounting and financial apps, for example, should use terminology and iconography that reflect standard practices in those domains.
Lastly, while every company aspires to create elegant, instant, easy user experiences for customers, a little bit of inconvenience is a good thing when it comes to security. “People want some hurdles,” McLaughlin says. “It’s like when you go to hospital and they ask you to confirm your identity.” What might seem like a mild annoyance, adds McLaughlin, is “ultimately a confidence-building exercise.”