With the onset of new data privacy and security-related regulations such as GDPR and PSD2 coming into full effect in mid-September 2019, the questions of customer authentication, fraud prevention, and user security become more and more prevalent. But what is user authentication, and how can you keep it user-friendly for customers?
What is user authentication?
User authentication is rather simple and something we are quite used to in our everyday lives. The basic concept of user authentication is about making sure that a person trying to access a restricted resource, such as a bank account, social media profile, a private network, or even a school LMS, is really who they claim to be.
In more technical terms, it's when you attach a unique value in the form of a username, email, code, or sequence to a unique individual and combine it with some form of a secret verifying value such as a physical token, password, or biometric signature. When a user trying to access a resource enters these values into the system, and they match, the user is verified, and access is granted.
Learn more about two-factor authentication in our comprehensive guide!
What constitutes strong customer authentication?
Strong Customer Authentication (SCA) is a European security standard that defines the required authentication methods that every online or contactless payment must implement in order to prevent fraud. It declares that any such initiated payment must take the user through more than one authentication factor to ensure greater security for the user.
The directive outlines exactly how to implement this multi-factor authentication mechanism using any two out of three key pieces of information:
Something the user knows from memory, such as a password
Something the user receives into their physical possession after logging in, e.g. a one-time code sent to their phone, hardware tokens
Something the user is, that is, biometric identification (facial recognition, fingerprint, etc.)
While this standard focuses primarily on payments under PSD2, its principles can be applied to many different types of online interactions between customers and the services they like to use.
Strong user authentication generally means taking the aforementioned basic identity verification to the next level and requiring individuals to provide information that cannot be easily guessed or stolen.
For instance, 2-step verification protects your account with both your password and your phone and keeps any attacker away even if they have somehow acquired your password. This means there are multiple verifying values; thus, sneakily obtaining, guessing, or stealing them becomes much more difficult. So, someone guessing your password would still need your phone or vice versa.
Implementing two-factor authentication (2FA) means protecting your business as well, not just your customers, since in the world of widespread automation, you do not want to put your business at risk via fraud or negligence lawsuits.
Keeping two-factor authentication user-friendly
However, there is much more to consider here because too long or too laborious an authentication procedure brings inconvenience to your own customers. Simply put, it is crucial to implement secure and thorough authentication while preserving privacy and convenience. Otherwise, users likely won't bother with a two-factor authentication service at all.
It's important to understand that not everyone is interested in the latest high-tech security features or encryption, but everyone appreciates a bit more in the way of security in our data-driven lives. It is most appreciated when you offer a complex security feature but in a way that the regular user can implement it with ease without having to go into tough technical complexities.
While there is no silver bullet, and each type of technology comes with its own specifics, common characteristics of user-friendly two-factor authentication often mean:
Requiring no lengthy or difficult passwords to low-risk systems, applications, or basic content and resources
Giving the user a choice of various authenticating options such as passwords, physical tokens, or biometrics
Choice of alternative options if the preferred option doesn't work as well as multiple layers
Stronger forms of authentication, for instance, via third-party authenticator apps on their personal phones as a second layer on top of a strong password
Giving the user a suitable amount of time or number of attempts to enter the code, depending on the demographic that your service caters to
Not expecting the user to do some complicated installation of bloated software on the different devices they own
Not requiring the purchase of special hardware, especially the expensive type
Allowing users to "remember trusted devices" in medium or low-security cases so that they are not prompted for the second factor too often
To achieve these advantages and overcome the weaknesses of generic passwords, businesses look at online security as a competitive advantage and a differentiator helping to attract customers, increase sales, and boost brand loyalty.
A better product is also a safer product, and strong two-factor authentication offers a solution that customers can easily understand and adopt. And adoption is key here, as the strongest authentication systems can do very little if they are not properly implemented. Or people find easy ways around them to preserve the initial convenience of just having a password along the lines of “password”, “123456”, or “Dog”.
User-friendly 2FA systems to gain access to important services
Users who want an extra layer of security for any service they use must first enable two-factor authentication for said service. 2FA can usually be turned on via an app or website's settings. Many services provide a bunch of options for 2FA, two of the most popular of which are 1) SMS and 2) an authenticator app.
OTPs sent via SMS are one of the easiest 2FA methods to manage for both service providers and their customers. This works because when users log into a service for which they have 2FA enabled, they get a one-time password or code via text message on their personal mobile number. This code is entered into the service, and once the service confirms that the code is correct, the user is successfully logged in.
If there is some delivery issue, such as a weak cellular network signal, some services offer to resend the code via an instant messaging service, such as WhatsApp, or via phone call. You have the freedom to keep the code as short as four digits or long, e.g., ten digits. For medium-security apps, this code can typically stay valid for 2 to 5 minutes. However, some high-security apps are so strict that they only allow 30 seconds or so.
Authenticator apps such as Microsoft or Google Authenticator
Google Authenticator and Microsoft Authenticator are two of the most popular two-factor authentication apps used worldwide for accessing online accounts for a wide range of services, apps, and websites.
A customer who opts for an authenticator app must first install this app on their mobile phone or any other smart mobile device that the particular app is compatible with. The code is generated and displayed online upon login and can only be seen by the user if they have access to an internet connection. Thus, an internet connection is necessary for these apps to do their job successfully.
The 6-digit codes that these apps generate are usually short-lived. They usually expire within a few seconds, giving the user a very short window. The code is generally displayed within the app, but some apps offer push notifications to make the process more user-friendly.
A two-factor authentication app is perceived as a much more secure mechanism than delivering an OTP via text message, but it is not entirely immune to serious cybersecurity risks, such as the one that the LastPass authenticator fell victim to.
Keep in mind that in the EU, GDPR and PSD2 (more specifically, the accompanying RTS) set standards for what strong customer authentication is, so businesses can check if they meet the regulations, and customers can evaluate the security of the authentication process and service they are using.