Five Tips for Low-Friction Authentication
6 Min. Read | October 22, 2022
Authentication processes often introduce unwelcome friction into the user experience. Generally speaking, friction equates to the effort needed from the end user during a given process. For example, logging into an app using a smartphone’s face scanning is a very low-friction authentication process; if a passcode is also required, the friction increases.
Trying to remember numerous different passwords (that must be changed regularly), answering security questions, waiting to receive and then entering a one-time password (OTP), getting locked out of an account because of too many login attempts — these are just a few of the day-to-day authentication frustrations your employees and customers face.
Login friction can harm your organization in multiple areas:
- Time: The average employee wastes up to 24 hours per year logging into workstations, networks and systems. This strain on company time is only exacerbated when password resets are considered, which cause significant delays for employees and take up help desk resources. IBM estimates that admins spend 27 hours per year resolving access issues per 100 users.
- Productivity Costs: Lost productivity means lost money. According to one study, the average enterprise loses $5.2 million on entering and resetting passwords. Added to this is the cost of help desk resources assisting with employee authentication.
- Customer Abandonment: Friction of any type in the customer experience leads customers to seek alternative services with a better digital experience. This holds true across industries, from financial institutions to online retailers. Friction in the authentication experience is especially harmful as it impacts every visitor and customer.
- Employee Frustration: It's not just employee productivity that is affected by authentication friction but their personal experience and happiness at work. A study on login fatigue found that 44% of employees felt logging in and out of applications ruined their mood and productivity, while over 25% admitted to giving up on a task due to authentication problems.
- Security: Frustration with authentication also leads users to engage in risky behaviors that compromises security. These include reusing the same password across multiple accounts, leaving applications or desktops logged in to avoid re-authenticating, writing down passwords on sticky notes or storing password lists in insecure files.
Increasing security steps around authentication can actually make things worse rather by introducing even greater friction and therefore adoption resistance. Microsoft revealed that only 22% of its enterprise customers enabled MFA.
The goal is to maintain or increase security levels while also deploying low-friction authentication. Here we’ll look at some tips for creating a low-friction authentication experience for your users without compromising your security posture.
1. Cut Out Passwords
The security risks of passwords are well known and only becoming more pronounced. Passwords are also a major cause of user friction for employees and customers. Simply put, remembering, entering, and resetting passwords are problems that your staff and clients should not have to deal with. While traditional multi-factor authentication (MFA) uses a password as a factor, there are modern MFA solutions that use possession and physical inherence to verify a user’s identity, cutting out passwords entirely.
2. Stop Using OTPs
OTPs sent to SMS or email are one of the most common MFA methods used as they are relatively cheap and easy for organizations to deploy. OTPs fall under the possession category to confirm identity, however evolving attacks have made them notoriously insecure. Moreover, they add friction, with the extra verification step disrupting the login flow. Further friction is created if users have to switch to another device, the token expires before they can log in, server or signal issues delay the message, or the OTP is sent to spam.
3. Leverage Biometric Identifiers
How do you verify a user without passwords? Using the same elements that prove their identity anywhere else: their physical features. Devices and systems that record and assess biometric characteristics, such as thumbprints, retina or face scans, and voice recognition, have become advanced and ubiquitous. Most personal smart devices come equipped with them off the shelf.
A secure, low-friction a process would see a user sign in instantly with a biometric identifier, which unlocks a unique key stored on their device to secure login through public key cryptography. These principles for going passwordless are at the core of the Fast Identity Online (FIDO) standards. Some of the largest organizations in the world back these standards, which were developed to both improve security and enable low-friction authentication for users.
Beware however, of biometric authentication methods that simply use biometrics to unlock a password or centrally stored credential on the back end. While these decrease end user friction, they leave your organization vulnerable to brute-force, MitM and other password-based attacks.
4. Implement SSO
Single sign-on is a platform that gives employees access to the complete suite of applications or data they need for their tasks after only one login. We’ve explored some of the security issues around having a single point of access for everything, but when authentication to the SSO is secured properly, it provides a solid low-friction authentication solution.
5. Use Step-Up Authentication Strategically
Sensitive applications and services, or specific types of transactions, may present a higher risk. For example, administrative access to your organization’s HR systems, or when a banking customer initiates a funds transfer. Or there may be certain contexts that present a higher risk, such as accessing systems from outside the office network. You can deploy step-up authentication to add extra layers of security specifically when users try to execute sensitive functions or log in from a less secure location. This way you can strengthen security without creating extra front-facing steps for every login for every user.
Ease Login Frustration With Passwordless MFA
You shouldn't have to choose between authentication security and user convenience. The biggest culprit is the simple password, with people potentially having to remember dozens of passwords or undergoing a time-consuming reset process if they don’t. Even if all goes well, there’s still the physical act of constantly re-entering login details. Traditional MFA solutions, such as OTPs, exacerbate the problem.
There are several measures you can take to reduce login friction for your users. The most effective and secure approach removes all passwords and embraces biometric identification in line with FIDO principles. FIDO-based authentication is considered the "gold standard" of MFA by the Cybersecurity and Infrastructure Security Agency (CISA).
To see how HYPR can help you create a highly secure yet low-friction authentication system that fully removes passwords, sign up for a free demo.
Interested in learning more about passwordless authentication in general? Download our Passwordless 101 guide.