Striking the Right Balance Between Security Considerations & the User Experience

Providing a seamless digital experience across platforms and operating systems is a common goal shared by all financial services organizations and a differentiator upon which these companies are increasingly competing. Forty-one percent of consumers in EY’s “2016 Global Consumer Banking Relevance” study said they would not hesitate to change their financial services provider if they found one with a better digital experience. Running parallel to this customer experience imperative is the need for robust security policies and procedures to protect sensitive account information. How can credit unions strike the right balance between these two equally important but often divergent demands?

The Friction Factor

Introducing friction into the login process invariably has a negative impact on the overall member experience. Given the sensitive nature of financial services data, consumers are slightly more forgiving of a multi-step authentication process but they still demand efficiency and easy access. Login friction is also a concern for internal users. If the authentication process is overly burdensome, employees may default to poor security practices like creating weak passwords, reusing passwords across multiple accounts or sharing credentials with colleagues – something 43% of people admit to doing, according to a LastPass survey.

With that in mind, let’s take a look at some common strong authentication measures that can impact user experience:

• 2Factor Authentication and Multi-factor Authentication: 2FA and MFA systems require users to present two or more pieces of evidence in addition to their password when attempting to login. While they are certainly beneficial from a security standpoint, from a member experience perspective, most users prefer not to use MFA. Google has stated that less than 10% of its users have opted to turn on MFA.
• Adaptive Authentication: Adaptive authentication cross-references IP address, geolocation, device reputation and other behaviors to assign a risk score to an inbound login and step up factors accordingly. These systems are typically tuned aggressively to increase effectiveness, which means that additional authentication steps are added in situations that don’t warrant them. As a result, adaptive authentication often frustrates customers and users.
• Biometric Authentication: This approach is appealing from a pure member experience standpoint, however, the singular use of biometric authentication is impractical as all technologies and devices are not currently equipped with biometric capabilities. In addition, these systems still rely on a fallback password-based authentication mechanism when the biometric fails or becomes unavailable.

In the financial services sector, there are certainly instances in which the friction introduced by the above approaches is appreciated by the customer or member as a sign of the institution’s commitment to security. For example, a member checking his or her balance for the first time on a new computer expects to answer security questions or input a security code received via text when attempting to transfer funds from one account to another.

However, from a day-to-day perspective, relying on friction-inducing authentication methods for routine logins can have a negative member experience impact and ultimately lead to member churn. To address the critical issue of account security without sacrificing the member experience, credit unions need to focus on a security basic – namely, the password.

Preventing Password Peril

While there is significant media and vendor buzz around passwordless authentication, passwords are going to remain the primary authentication mechanism for the foreseeable future. Despite this fact, people typically practice terrible security hygiene when it comes to selecting passwords, even for financial accounts that house extremely sensitive information. It’s incredibly common for people to select context-specific passwords (for example, the bank name and year in which the account was opened) or common ones such as “password” or “12345.”

These passwords can be easily guessed by bad actors for account takeover and in many cases are readily available on the Dark Web. Of the plaintext passwords we find online and on the Dark Web, approximately 11% would be considered common, which means attackers can guess them and will likely use them as well. When coupled with the problems of password reuse and credential sharing, the challenge of securing these passwords only grows. As such, it’s critical that credit unions determine whether passwords have been exposed at their creation for members and employees alike. Then they should monitor password security against a live database of exposed credentials on an ongoing basis to make sure good passwords don’t go bad.

With this approach, members and internal users can enjoy a seamless digital experience at every login if their passwords have not been compromised. Should the credentials be exposed, the credit union can step up authentication to protect the account, allow the initial access and then prompt the user to change his or her password for future logins.

As mentioned above, certain situations within the financial sector require additional authentication mechanisms, such as protecting privileged accounts or VIP accounts. As such, credit unions should explore ways to augment MFA with implementing password screening since the first factor of MFA is usually logging in with a password.

Delivering a high-quality member experience will only become more essential for credit unions and other financial services institutions in the years ahead. In a crowded industry in which consumers can easily switch to a competitor if the digital experience is lacking, organizations only have one shot at ensuring that security considerations don’t hamper the consumer experience.

Mike Wilson is Founder and CTO for security firm Enzoic in Boulder, Colo.