Are You Still Failing Your Customers?

Well-Intentioned Traditional Security Methods Need To Yield To UBA

The moment we started online shopping, businesses realized that a simple password and username was no longer enough to protect the user or the company.

How did we try to secure the password? Verification steps have had gone through several permutations over the last twenty years. And for a while, they work – but only for a while.

A long tradition of making things only slightly harder for fraudsters while making things more frustrating for the users we want to protect began. We call it friction and it’s what drives legitimate users away from websites, sometimes in droves. Our intentions may have been good, but the outcome wasn’t entirely so.

IP checking to verify the user breaks down when users are mobile or connecting through Wi-Fi never mind hackers that can just spoof IP addresses. Another tact – make passwords themselves harder for automated systems to guess. While making it incrementally harder for machines to break, more complicated passwords made it much harder for human beings to remember.

Because credit cards in particular are choice targets for fraud, both VISA and MasterCard developed secondary security products (Verified by VISA and MasterCard SecureCode respectively) to reassure that customers using the card in fact had the right to do so. But implementation varied widely across partner websites and persuaded some customers to abandon legitimate sales.

Knowledge Based Questions, or KBAs, were more user friendly in the beginning. Until one question alone wasn’t enough, and then three wasn’t enough. And since every site used the same kind of questions with easy to guess or Google answers, the questions started getting harder, weirder, more obscure. Doing so only puts a greater burden on the user to remember all the answers.

Friction might cause an oyster to form a pearl, but for websites it just ends up spitting out the customer. Remember, for a fraudster with automated tools at their command, they don’t mind doing a little extra work to crack into the shell. For a user, they risk getting questions wrong and having their account unfairly flagged or and the website risks becoming so irritating to placate that users drop out of the process altogether.

It not a secret that extra hurdles to verify are headaches for the user. Some will abandon the site and there’s a lot of complicated math behind figuring out what level of friction is acceptable for a given site or company. But we feel that there is no acceptable level. We should not be making the user’s experience harder because they have the unfortunate luck to be the user we want to deal with! That would be marketing suicide in any brick and mortar store, so why do we hold on to it for e-commerce?

For a while, the answer was that we had no choice. The technology to do otherwise did not exist. But with the mainstreaming of user behavior analytics, password security can dispense with all the irritating, stop-gap measures and pair down the user experience to a clean, painless interaction that brings us back where we started – one username, one password, one hundred percent sure.