Industry Insights with Kristen Ranta Haikal Wilson

Account Takeover , Cybercrime , Fraud Management & Cybercrime

Strong Authentication vs. User Experience

Balancing Made Easier
Strong Authentication vs. User Experience

Companies that position their security measures solely as enterprise protection can foster frustrating user experiences. And some strong authentication methods that can dissuade users:

  • 2Factor Authentication (2FA) and Multi-factor Authentication (MFA). These systems create frustration when customers are greeted with authentication codes and other methods to confirm account access. They have multiple points of failure which lead to higher user abandonment rates. According to Google, fewer than 10 percent of its users have signed up for two-factor authentication to protect their Google accounts.
  • Adaptive Authentication. These systems cross-reference IP address, geolocation, device reputation and other behaviors to assign a risk score to an inbound login session and step-up authentication factors accordingly. To increase effectiveness, they tend to be tuned aggressively, adding additional authentication factors in relatively benign cases. In many instances, this increases customer frustration and abandonment.
  • Biometric Authentication. These systems use biometric data from users to confirm identity during future log-ins. Widespread use of these systems is impractical because not all current technologies and devices have biometric capabilities. While biometrics can improve user experience when available, they do little to strengthen security since they must rely on a fallback to password-based authentication when the biometric fails or is unavailable.

Credential screening is different.

While emphasizing user experience, compromised credential screening also adds a strong security layer to the authentication process by:

  • Seamlessly screening usernames and passwords to identify compromised credentials at the point of user login.
  • Encouraging users to select better passwords when they reset their password.
  • Alerting users to their exposed credentials with immediate notice.
  • Providing a definitive risk result: entered credentials are either compromised or not.
  • Supporting a flexible, site-defined response when compromised credentials are detected.

How it works.

71% of the respondents to an Akamai/Ponemon Institute survey said that preventing credential stuffing attacks is difficult because fixes that prevent such action might diminish the web experience for legitimate users.

 

Enzoic built its credential screening products with the understanding that consumers use the same login credentials across multiple sites. When a user logs in, Enzoic compares their credentials against a continuously updated database of compromised credentials. This process is behind-the-scenes and adds negligible latency to the login process.

If the user's credentials have been compromised, a range of responses can be taken: companies may force an immediate password reset, clear credit cards on the account, require an additional auth factor, or log for additional analysis. This protects the user's account and maintains enterprise security against credential stuffing and account takeover attacks launched by cybercriminals.

It is a simple fact that strong authentication will impact user experience and effectiveness.

With Enzoic, your organization can now manage how significant that impact is.



About the Author

Kristen Ranta Haikal Wilson

Kristen Ranta Haikal Wilson

Cofounder, CMO & Product Management, Enzoic

Kristen Ranta Haikal Wilson is a co-founder of Enzoic (formerly PasswordPing), where she is responsible for linking product innovation to a comprehensive go-to-market strategy. She is software product and marketing professional with over 20 years of experience and much of her career has been focused on software that streamlines business and IT processes for the benefit of customers and employees. Prior to Enzoic, she was a Senior Director at CA Technologies. Before CA, she had many diverse roles at Rally, SSA Global, Oracle, Siebel Systems, and Black & Decker. She is a certified scrum product owner and scrum master.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.