3 Considerations for Building an Effective Smart Friction Strategy
By Michelle Hafner, COO, NuData Security
You don’t expect to have to answer a security question or provide a one-time password (OTP) when logging into your food delivery service account to order an $8 pizza. On the other hand, you probably have do expect additional authentication measures when logging into an account that stores sensitive information, such as your healthcare account.
This is an example of smart friction – steps that are intentionally and strategically triggered to verify a user’s identity. By balancing user experience (UX) and security, you can protect customer information without overwhelming it with default authentication measures. There’s no one-size-fits-all approach to smart friction, but it’s an important part of safety because it can have a huge impact on your bottom line.
Why friction can sometimes be a good thing
When connecting to any type of account, it is important that users prove that they are who they say they are. This is how you protect their personal information. And protecting customer data is just as important to you as it is to them. In addition to reputational damage, the average real dollar cost of a breach rose nearly 10% year-over-year, the largest year-over-year increase in the past seven years.
But let’s face it: friction along the user journey can also frustrate users and sometimes even drive them away. Over 80% of consumers have abandoned their cart or attempted registration due to a cumbersome login process.
Fortunately, organizations are becoming more sophisticated at making this friction intentional and personalized rather than standard for each user, because for some accounts or situations friction is a good thing. Consumers tend to agree with this way of thinking. A majority of individuals rated security as “very important” to their accounts.
There is no standard practice for protecting user accounts, but it is is a lot to consider when establishing a smart friction strategy. In the end, it all comes down to finding the right balance between security and providing a positive UX.
How to Use Smart Friction to Improve Authentication
Smart friction is an automated user verification process that tailors the level of friction to the trust or risk the user is perceived to have – and this can both benefit your bottom line and improve your UX.
By protecting the accounts that matter most with a personalized and intelligent approach, you avoid the costly ramifications of exposures and data breaches. Conversely, your users will appreciate the personalized experience and build trust with the brand.
Consider these three tips for creating a strategy that triggers the right friction in a user’s journey:
- Assess the context. Some accounts contain sensitive user information while other accounts only have information such as a user’s name and address. You need to assess the value and risk of each account you manage, determining whether the benefits of additional authentication outweigh the disadvantages of a bad actor gaining unauthorized access to the account. For something like a healthcare account, it’s a good idea to err on the side of caution with security. However, if you’re dealing with a user’s food delivery service account that appears to be low risk, you can probably wait for additional authentication measures to be implemented to allow them to get their morning smoothie. .
- Consider UX. In addition to identifying the context and risk of a company’s user accounts, you need to put yourself in their users’ shoes to determine the appropriate level of friction they would accept in a given scenario. As a user, you want to added friction if it means your health data or sensitive financial data will be kept safe. But is it really worth completing an extra step to order a $4 coffee on mobile? In this scenario, you would probably head to another coffee shop or make coffee at home. If there are alternatives – or rather, if something is easy to not purchase – businesses tend to accept some level of risk to avoid losing sales due to poor UX. With businesses losing billions of dollars in sales every year to fake credit and debit cards, prioritizing UX can be a healthy bottom line decision for some retailers.
- Adapt the steps to each type of threat. Not all threats are created equal, so your authentication measures shouldn’t be either. Let’s say you trigger a CAPTCHA whenever suspicious behavior occurs. This method will trigger many bots; however, if the threat is a malicious human actor typing someone else’s credentials, they can easily complete the CAPTCHA, rendering your fraud prevention technique useless. Instead of this blanket approach, deploy sophisticated security tools that can identify the type of risk. If it is a human trying to gain unauthorized access, you can trigger an escalation that will actually stop them in their tracks – like an OTP.
There is no hard and fast set of rules to follow when developing a smart friction strategy, and it will be different for every organization. As long as you consider your business goals, UX priorities, and account risk at hand, you can make a strategic decision about the right amount of friction to insert into a user’s journey.
About the Author
Michelle Hafner is a senior product manager with expertise in identifying and creating innovative cyber and intelligence solutions. She is currently COO of NuData Security, a division of Mastercard.
DISCLAIMER: Biometric Update industry overviews are submitted content. The opinions expressed in this article are those of the author and do not necessarily reflect the opinions of Biometric Update.
authentication | behavioral biometrics | biometrics | cybersecurity | data protection | digital identity | fraud prevention | NuData Security | user experience