• Callum Mcleod

Integrating User Authentication Into your CX Strategy

Are you looking for User Authentication recommendations? Want to make sure your users are safe whilst not hindering the usability of your products?


Then you’ve come to the right place!

Padlock over HTML code

In this blog we will outline not only what user authentication is but why it’s so important to integrate it with your customers' journey. We'll also be providing you with a couple of options for how you can introduce user authentication to your systems, explaining some of the pros and cons of each as we go.


So let’s start with…


What is User Authentication?

Passport on top of a world map

User Authentication is the process of identifying users who want to access something you’re offering, whether this is a physical device, software or even a network of some kind.


It is to confirm that the user is exactly who they say they are; once they've confirmed their identity, they may then be given access to specific sensitive information, which they wouldn’t have been able to see otherwise.


With companies these days storing more and more personal and sensitive information about their customers, they need to ensure that their security systems are up to scratch. Or they’ll end up with some very unhappy customers.


Why is it so important?

Security Guard going down an escalator

We can break down the reasons why people need User Authentication into two distinct camps, Internal Data Security (IDS) and External Data Security (EDS).


  • Internal Data Security: IDS refers to keeping your data secure from users who are already within the system. Whilst you want users to be able to see their own data, you need to stop them from being able to see everyone else’s. This is where User Authentication comes in. If you can confirm that a user is who they say they are, you then only display their own information to them, and you won't have to worry about it being seen by the wrong people.


  • External Data Security: EDS refers to keeping your data secure from external threats, more specifically, cyber criminals. Cyber criminals are always looking for ways to steal your user data; whether they mean to ransom you with it, sell it off, or they’re looking for specific information, you need to have adequate defences. You wouldn’t leave your windows and doors unlocked in your house, so why would you with your systems? Not having a well built authentication system is the equivalent of leaving your windows wide open and inviting criminals in.


Authentication and your Customer Experience


The issue many companies are having with security is finding the right balance between being secure with their customer data and not being so secure that you hinder the customer's journey.


If you don't have enough security steps, then your customer’s data won't be secure, and your customer will feel that their data is unprotected. They might then go to one of your more secure competitors.


If you have too many hoops for your customer to jump through, they may become frustrated by how long it takes for them to get access to your services. They won’t see the extra security as worth all the extra effort they have to put in, and again, may go to one of your competitors.


The onus is on you as a company to find the authentication method that will keep your customers' data secure and keep them happy at the same time.


Types of User Authentication


You could spend hours surfing the web looking at all the different authentication options around (trust us, we’ve been there). To save you some time, we’ve put together our top 3 authentication methods, which should help you provide the right balance between security and usability. But, it’ll be up to you to decide which, if any, of these are right for you!


Knowledge Based Authentication (KBA)


A Pair of glasses, retro watch and a book

What’s your mother’s maiden name?

What street did you live on as a child?

What was the name of your first pet?


Don’t worry; we’re not trying to steal your identity, that’s just an example of KBA In action. KBA is the process of authenticating someone’s identity by asking them something only the user would know, whether this is questions about their childhood, family members of even pets.

There are typically 2 different types of KBA’s:


  • Static KBA: Static KBA (Sometimes referred to as shared secret authentication) is where users pick their own security questions, and share the answers to them with the system when they create their account.


  • Dynamic KBA: Dynamic KBA uses information that the system can gather about you to generate and ask you security questions. With this type of KBA, you don’t have any choice in the questions or answers you must provide. The system may ask you about past addresses it has stored for you, or even for certain digits in your NI Number.

Pros & Cons

​Pros

Cons

  • Both the questions and answers in Static KBA can usually be chosen by the user, meaning that they are much easier for the user to remember or note down when they select the questions. Causing less friction within the customer journey.

  • Fluid KBA is likely to be very secure, as unlike Static KBA (or even other authentication methods), the answers to Fluid KBA questions are much less likely to be found online, making it harder for cyber criminals to access your accounts.

  • Unfortunately, the answers to Static KBA questions may not be very secure. Because most people live their lives online, it is quite easy for a cyber criminal to search social media accounts for answers to KBA questions. One famous case of this was the Sarah Palin email hack in 2008, where the hacker easily gained access to Palin’s accounts with information he found online.


  • There are also issues with Fluid KBA. People might be uncomfortable with the information that you have gathered, considering they themselves did not provide it, moreover, because they didn’t provide the information, they are more likely to either forget the answer, or to get it wrong.


Multi-Factor Authentication (MFA)

Someone using 2 factor authentication to log into online banking

MFA is an authentication method where users are required to provide 2 or more verification methods for them to access your products or login. These typically include proof that you have access to the user's computer, their email inbox or even their mobile phone. There are many different types of MFA, including:


App One Time Password (OTP): This is where you will have an authentication app on your phone, which will be constantly generating OTPs for different accounts, which typically expire within 30 seconds - 1 minute. You can then enter this OTP as proof that you hold the user's device.


Email One Time Password: With this process, when you try and access a system, it will send either a link or a code to the email you used to set up your account(this will usually be mostly censored to ensure even more security). You then simply follow the link or enter the code to prove that you have access to the user's email server.


SMS One Time Password: With an SMS OTP, when you try and log into your account, you will receive a text to your provided phone number, which again is normally censored, with a code. You then simply have to input this code to prove that you have access to the user's phone.


Push Notifications: Whilst still a popular form of MFA, this is much less common than the others mentioned as it requires the user to have already logged into the system on a separate device (for example, a phone or laptop). When you try and log into the system, you can receive a push notification on a device you have previously used, which is then followed to confirm that it is you trying to access the system.


Pros & Cons

Pros

Cons

  • Multi-Factor authentication is significantly more secure than KBA because it is much harder to steal a physical device (and gain access to it) than it is to find information about a person online.


  • Using MFA can lead to an increase in customer trust. Your customers will see the steps they have to take to get access to their data, and should feel that their data is secure.

  • Unfortunately, using MFA can also lead to you annoying your customers. Putting these extra layers between them and their data, whilst good for security, can hinder the customer journey. You need to ensure that you find the right balance with MFA so your customers don’t choose to go somewhere else.


  • Reliance on external devices can also cause issues for the customers. What happens if they lose the device they need to access their accounts? Or if they have no signal and need to provide SMS MFA. Companies need to have a recovery system in place to counteract this.


Biometric Authentication (BMA)

Someone having a retina scan

BMA is the process of using unique biological marketing to authenticate that the person is who they say they are. When a user registers an account for the first time, biometric data is collected about them; this is then compared to the data provided when attempting to log in, ensuring with almost 100% certainty that the person is who they say they are.


In the past, BMA was mainly used for physical locations; however, more recently, it has started to be used on devices with a biometric capability, for example, on a mobile phone. Some of the most common scans to secure biometric data are:

  • Face scan

  • Retina Scan

  • Fingerprint Scan


Pros & Cons

Pros

Cons

  • Biometric Authentication is incredibly secure and difficult to fake. Your user's data is physically a part of them, so can’t be replicated by any budding cyber criminals.


  • Another thing about Biometric Authentication is that once it’s set up (and if it’s been set up well), it’s extremely user friendly. It is quick and easy to do, meaning that it won't hinder your customer’s experience. Moreover, there are no passwords for your customers to forget, meaning that they won’t have to deal with any laborious account recovery processes.

  • One major issue you will need to consider if you implement Biometric Authentication is an increased need for Data Security. Not only will you now be storing people's Biometric data, which, if lost is likely to annoy your customers, but this data is irreplaceable. If you lose your customer's passwords in a data breach, you can simply change their password, biological data cannot be changed, so once it has been breached, it is no longer a viable authentication option.


  • Another issue with Biometric Authentication is the reliance on external devices. Hardware issues with these devices can cause serious issues for your customers. If their camera or fingerprint scanner gets dirty or even worse, is faulty, then they won't be able to authenticate themselves. You will need a back-up process in place for when this happens.

What’s Next?

A laptop with a padlock on it

That’s it. We’ve told you all about our favourite authentication methods; now it’s over to you to pick one!


Can you see the benefits of one over the others? Are you still not sure? This is where we can come in to help.


Here at CX Consultants, we have over 25 years of developing smooth customer journeys. If you need help ensuring that your customer journey is as smooth and seamless as it can be, why not get in touch? And find out how we can help you today.



 

If you have any questions or want to discuss your CX strategy, system or customer journey, get in touch, we're here to help.