Most experts consider the authentication process to be a trade-off between security on one end and user-friendliness on the other. But there are ways to harmonise both. This guide will give you the tools to develop a frictionless authentication flow while meeting the highest security standards. Discover how and why organisations should:
- Get rid of passwords by implementing passwordless authentication
- Smoothen the enrolment process
- Choose frictionless authentication factors without compromising security
- Develop a frictionless authentication process
- Avoid these common mistakes
But First,
1. Let's Define Friction
Friction is commonly defined as the psychological resistance your users experience when trying to complete an action. We use it to measure to what extent your users need to exert themselves to sign up or log in. We can determine friction using three criteria:
- Steps to completion: i.e., the number of steps users must take before reaching their goal;
- Information cost: how many information fields users need to complete;
- Effort investment: The number of decisions users must make.
2. Get Rid of Passwords
We believe eliminating passwords is the most efficient way to alleviate login and signup friction. Here’s why.
2.1. Why You Should Get Rid of Passwords
No More Password Fatigue
There’s no good reason to keep passwords around. Security professionals know that passwords cause 81% of cyber breaches. And they’re expensive to maintain. Password resets account for up to 50% of all helpdesk requests.
But what’s more relevant to you, is the harmful impact passwords have on your users’ experience. Your users suffer from password fatigue. Password fatigue is stress caused by forgetting and mistyping these passwords and staying up-to-date with ever-changing password requirements.
A typical user has up to 80 passwords. Every one of them should be unique. Additionally, organisations require their users to develop increasingly long and complex passwords and to change those passwords every six months or so, making it even harder to remember them. These password requirements, mandatory changes, possible additional security questions and other measures taken to protect users take their toll on users.
Over three-quarters of this survey’s responders reported password fatigue negatively affecting their productivity and mental health. 56% of respondents in the same study experienced high password fatigue weekly. This stress impacts productivity, app usage and conversion.
Killing the password in your organisation solves all these issues. Click the picture and find out how passwordless authentication improves your customer experience.
Shorter Login Time
As we established here, your drop-off rate increases by 7% per second your users spend logging in. Since logging in with a password takes 13 seconds, you’re bound to lose many users. Moreover, 30% of login attempts on a mobile phone fail due to password complexity and screen size.
Mobile passwordless MFA, a subset of passwordless authentication that nextAuth provides, can speed up the login process by up to 92%. It prevents your users from having to puzzle over their complex passwords and entering that password on their mobile phones. Logging in with a finger scan instead of a password limits the number of interactions to a strict minimum.
A biometric factor needs a fallback method. What if a user has a small cut in the thumb they use to log in with? We chose to rely on securely verified PIN codes as a fallback method. Find out here how we did that.
Intuitive Authentication Factors
Combining intuitive authentication factors makes for an low-friction authentication experience that fits the user’s habits. Mobile passwordless MFA relies on a possession factor, like an app or a mobile device and an inherence factor, like a fingerprint, a face scan, etc., rather than what a user knows, i.e. a password. You will be hard-pressed to find a more frictionless authentication method than logging in with a fingerprint on a mobile phone.
Happier Users
Over 70% of users prefer passwordless MFA over usernames and passwords—the reasons why are obvious. They consider passwordless MFA to be easier to use and safer. Over 93% of users who try passwordless MFA stick with that method.
This form of authentication has ripple effects. It improves an app’s First-Time User Experience and retention rate. On top of that, it reduces cart abandonment by up to 67%, thus increasing conversions and reducing your cost per lead.
2.2 How You Should Get Rid Of Passwords
Review all your current authentication processes
Determine Your Requirements
Choose The Right Passwordless Authentication Solution
Numerous solutions might fit your expectations. Don’t force fit them. Meet your vendors, clearly communicate your needs, and have them devise a plan to satisfy those needs. There are plenty of vendors, so you won’t need to compromise your needs to fit their offerings. Assess their features based on the categories above. We’ve developed a tool to help you do that. Click the banner below and get your passwordless MFA requirements checklist here.
Gradually Roll Out Your New Frictionless Authentication Method
Some organisations immediately roll out their passwordless MFA. We’d advise you to adopt a more gradual approach. A gradual rollout allows you to assess every step and improve for the next process phase. Start onboarding per segment, disable password resets, prohibit new users’ password creation, and eventually impose passwordless MFA as the only authentication method.
3. Develop a Frictionless Enrolment Flow
3.1. The "Friction First, Value Second" Flow
This is the most common signup flow and compels users to:
- Click a signup button
- Fill out a personal details form
- Answer additional questions
- Verify account per email
- Choose a username and password
- Set up account
- Access the app
There is one positive element to this flow. Your users are familiar with this process. They barely need any input to recognise this flow. But it’s still rife with friction.
Users need to take up to 7 steps before they access the app. Every single step is an opportunity for a user to abandon the process. Email verification takes the momentum out of the user’s intention and eagerness to use the app. The fact that the users must leave the app increases the drop-off rate.
This is compounded by the requirement to choose a username and password, complete a form and sometimes even perform a CAPTCHA test depending on the risk level of activities.
Personal details forms often contain at least first name, last name, and email address for name + username and password boxes. All these steps require a considerable investment that isn’t compensated by easy access or reliable cybersecurity. Although this is the most common flow, it’s safe to say it causes the most friction.
Passwordless MFA can alleviate some of these problems:
- It takes away the need for password creation, registration and remembrance.
- It can shorten your signup form. Signup forms are often used as a repellent for bots and spammers and as a weak security measure. Passwordless MFA eliminates that, allowing you to limit the number of boxes.
But this flow remains fundamentally flawed. Even if passwordless authentication comes into play, there’s no way to undo the damage that the delay of reward and the loss of momentum causes
3.2. The "Gradual Signup" Flow
This flow requires users to:
- Click on a signup button
- Fill out a minimal number of details, usually an email address
- Access the app
- Fill out a personal details form
- Answer additional questions
- Verify account per email
- Choose a username and password
- Set up the account
The Gradual Signup Flow is a step in the right direction. It cancels out some initial friction by postponing the requirement for a password and other critical information. Delaying the password and email verification early on while still giving users access to the app is easier on the user. Users get the opportunity to get a taste of your app and only need to complete all other steps the second time they us the app.
Despite the bonus points, this flow still presents some significant hurdles, the main on being the username-password requirement. We’ve discussed how 67% of users abandon their activity when encountering password issues, how passwords add to their stress levels, and how 70% of users would choose a similar company that doesn’t require them to use a password.
The right passwordless authentication solution can solve this issue. Your users won’t need to pick a password or username, and confirm them, which shortens the enrolment process and alleviates password-induced stress and friction.
Keep in mind that not all passwordless MFA solutions are built the same. Some solutions rely on hardware tokens or OTPs as factors. These factors only hamper your users’ experience. There’s nothing intuitive about using a USB key, a card reader to generate a code, or switching apps to get an OTP code. So, again, choose your passwordless MFA solution wisely.
3.3 The "Instant Value" Flow
We believe this flow, coupled with a mobile passwordless authentication method, provides the best user experience. . Usually, this enrolment process allows users to:
- Access the app
- Fill out a form once the user wants to after they advance to a specific stage of product usage
- Answer additional questions
- Verify the email
- Choose a username and password
- Set up the account
The users get immediate access to an app and are only required to complete the signing-up process before a specific task. Considering the steps to completion, information cost and effort investment and the fact the goal is to access the app, this signup flow is about as frictionless as you can get with classic authentication methods. But there’s still room for improvement. You can make this a genuinely low-friction authentication flow and highly secure process by scratching username and password with mobile passwordless MFA.
Implementing mobile passwordless MFA eliminates the need to fill out a long form as a security measure and choose a username and password. It allows you to limit the number of information boxes to a strict minimum and combine them with a biometric scan to ensure better protection.
Beware of biometric authentication solutions that require users to register biometric data on the authentication app. This can take up to 10 minutes if all goes well. The right mobile passwordless MFA solution would rely on on-device biometrics that the user already has stored on their phone.
4. Develop A Frictionless Login Flow
4.1. Single Factor vs. Multi-Factor Authentication
The first choice organisations need to make is whether they should opt for single-factor
authentication or multi-factor authentication (MFA). You might’ve heard of two-factor
authentication (2FA). 2FA is a subset of MFA, so we won’t dive into the minute differences between those two types of authentication. Let’s dive into single-factor authentication.
Single-factor authentication is when a person uses one authentication factor to authenticate themselves online. The most common SFA method is password-based authentication. Despite its glaring flaws, it is still the most popular authentication method.
Single-factor authentication doesn’t adequately protect your and your users’ data. It’s considered a vulnerability and risk numerous national and continental cybersecurity agencies.
You might assume that its popularity is due to its superiority in user experience. But that’s a misconception. Single-factor authentication is mostly password-based and thus causes the same friction mentioned earlier in this guide. There’s genuinely no actual value in deploying single-factor authentication for your users.
Multi-factor authentication (MFA) requires users to provide at least two distinct, verifiable factors to authenticate themselves. These factors need to be from different factor categories. Authentication based on two methods from one type of factor, like using both a password and a PIN code to log in, doesn’t constitute MFA.
MFA is superior to SFA in all facets. It provides a more secure authentication process. It adds an extra layer of security and helps you comply with the most stringent cybersecurity mandates. And it enables you to provide secure passwordless login to your users.
So, always opt for multi-factor authentication.
4.2. Pick The Right Authentication Factors
We assess those methods based on two criteria: user-friendliness and security impact. We’ve already established that usernames and passwords get bad marks in both categories. That leaves us with passwordless authentication factors. There are three types of factors; inherence, possession, knowledge factors:
- Inherence factors consist of credentials that are unique to the user. These include all biometric scans.
- Knowledge factors require the user to provide something they know that is saved on a server before accessing a secured system, like PIN codes.
- Possession factors are factors the user possesses through which they can access a system, like hardware tokens, a mobile app or a phone.
All these factors comprise a wide variety of authentication factors which each have their pros and cons, and are up for debate. For instance: hardware tokens are deemed more secure than classic passwords but get low marks for user-friendliness. SMSes are expensive, cause friction and often get delivered late or not at all.
If you consider and choose suitable authentication factors, you’ll vastly improve your users’ experience. We’re convinced that a combination of biometric factors on a mobile phone, backed up by a PIN, is the most frictionless and secure form of passwordless login. We chose this combination for various reasons:
- Biometric authentication factors are the most intuitive and frictionless authentication factors. What’s easier way than pressing a thumb on a mobile phone. You can easily replace this with another biometric, like an eye scan or palm print.
- The second factor is an app on the user’s mobile phone. It just makes sense in terms of security and user-friendliness to use a tool that a user carries around.
- A biometric factor needs a fallback method. What if a user has a small cut on the thumb they use to log in with? A fallback method is essential for when biometrics fail. We chose to rely on PIN codes as a fallback method.
4.3. Limit The Number Of Authentication Checks
The increasing number of cyber breach attacks caused most organisations to protect themselves and their users with supposedly impenetrable cyber security walls. Users sometimes must endure authentication flows consisting of CAPTCHA tests, additional questions about their mother’s birthplace, email, SMS or push authentication etc.
Combining these authentication methods might lead to better protection. But it’s a testament to a failing and unsafe authentication process. All these checks just add friction for most users who just want to log in to perform low-risk activity.
To remove friction, consider combining mobile passwordless MFA with a broader authentication process that automatically activates 1 additional check whenever a user intends to perform a high-risk activity.
For example, an extra biometric authentication or a mobile push might be warranted if a user requests to change the email address.
But the key is to limit authentication checks to a minimum.
5. Avoid These Common Mistakes
5.1. Don't Implement Context-Based Approaches
A context-based approach is only helpful if your authentication method is secure to begin with. It only helps organisations determine whether a user is trustworthy based on geographical and behavioural signals, among other signs. It flags and automatically generates an additional authentication request if the user exhibits unusual behaviour.
There are different problems with this approach:
- A context-based approach doesn’t replace other authentication methods. Your users will still need to remember, enter and update passwords.
- Context-based authentication systems will increase your TCO. Your IT or cybersecurity team will need to define what constitutes normal or acceptable behaviour for every action. But the larger the number of users, the harder it gets to set requirements that every well-intentioned user meets, meaning that some of those users might be wrongfully excluded from certain activities.
This will inevitably lead to an increase of helpdesk calls or a higher abandonment rate.
Mobile passwordless MFA solves these issues by providing the highest form of security while offering frictionless login capabilities. Like we mentioned before, we require users to login with a biometric scan on their mobile phone. We protect those users by verifying the entire process in zero-knowledge. Find out here how we do that exactly.
5.2. Keeping Users Logged In
Most mobile users have little time and even less focus when logging in, which leads to failed attempts or impatience and ultimately abandonment if the login process takes too much time. That’s why some organisations that rely on password-based authentication or other sluggish authentication methods resort to keeping their user logged in. This helps limit authentication attempts and alleviate friction.
But while this benefits the user’s experience in the short term, this implies serious security risks in the long run. The better option is again to implement biometric mobile passwordless MFA. It makes logging in more straightforward and provides better protection, alleviating the need to keep users logged in. Hacking passwords is easier than hacking a fingerprint or a face scan and getting a hold of the user’s phone.
Even if that would work, a hacker would still need to breach either the biometric scan, the phone, or the fallback method, which is extremely difficult to pull off. In essence, biometric mobile passwordless MFA is significantly easier to use and provides you and your users with better protection than any other authentication combination.
Conclusion
There are numerous ways to develop and implement a frictionless authentication flow. The main pointers, however are to kill the password in your organisation, review your enrolment and authentication flow and assess your authentication factors.
We’ve developed a mobile passwordless multi-factor authentication solution to help you meet your goals. Our team would be more than happy to help you create a low-friction authentication experience and to discuss how our solution could set you on the right track. Click the banner below to schedule a discussion with one of our authentication experts.