Killing the Password for Consumers

Killing the Password for Consumers

April 23, 2019
Dustin Maxey
Director of Product Marketing

Your consumers are a fickle group. They’re also the most important thing that your business has because without them, your business wouldn’t exist. Therefore it’s no surprise that if you Google “good customer experience” or similar terms, you’ll see diverse sets of results, often from software companies, telling you how their unique corner of customer experience is the one you can’t live without. In fact, you’d be hard-pressed to find a software company that even lightly grazes end-user interactions that isn’t talking about the importance of CX.


With that in mind, you might ask how I can write a blog and tell you that identity, and login specifically, constitutes a critical point in your customer experiences. Let me show you:

Customer identity—a core part of which is user login and registration—is the front door to your brand. It’s the way you make your first impression on a customer, and additional impressions every time they interact with your digital properties. Get it wrong, and they may never know the amazing products, services and experiences you’ve built for them.

In most cases, UX has several guiding principles: Fewer clicks, natural interactions, no friction and the like. It would be easy enough for your engineers to create an experience with no login. That would make those UX boxes easier to check, and it’d be easy for users to go right in and get what they want. But as you may have guessed, there are a few problems with that approach. First, security. You often need to store personal information about customers. That could be credit card numbers, social security numbers or other personally identifiable information (PII). Second, personalization. At the core of good customer experiences is the ability to know them like they’re a close friend. That means being able to remember things about them, like their preferences.

The key to both of these things is your ability to identify the customer. Alas, that requires them to register and log in. Now your question becomes: How do I identify my users with the least amount of friction possible?

Can’t consumers just remember a password?
Ah, passwords, the tried-and-true method of identifying people since the dawn of the Internet. It seems so simple. Just have your users come up with a word or phrase that only they know, type it in along with some other piece of information that identifies them—usually a username or email address—and they’re in. Access to their preferences, credit card numbers and personalized experiences are theirs for the taking.

If only it were that simple. You see, passwords have a number of drawbacks on both the security and user experience fronts.

Regarding security, password policies could be very forgiving and allow a customer to make their password “aaa.” However, that is easy to guess and any brute force password attack will crack it quickly. So the solution would seem to be to make password policies as strong as possible, requiring a few symbols, numbers, capital letters, and not letting the password contain anything similar to their username or match any of their last five passwords. Now you’ve got a secure login process.

Of course, you may be causing people to have to create passwords they’ll never remember. Or worse, causing people with really secure passwords not to meet your strict criteria:

That password looks pretty secure to me. It’s 23 characters long, contains a mix of symbols, numbers and letters, and is different from the 50 previous passwords.  However, since there are two sequential characters in there, it’s deemed insecure. The point is, password policies are just hard to get right.

Even if you do find the perfect password policy, it still isn’t bulletproof. All it takes is for a consumer to reuse the same username and password on another, less secure site, or to fall victim to a phishing scam. Then all your hard work trying to balance password policy security goes out the window.


What about social login?
Social login is a great method for convenience, and so long as it uses protocols like OpenID Connect and OAuth, it’s typically pretty secure. However, it isn’t for everyone. If you rely on social login, there’s still a password at the end of the rope—social media providers require a password. Using it means trusting that password hasn’t been compromised by the same methods mentioned above.

The other consideration is that not everyone chooses to use social media, so you can’t rely solely on it. It’s great for convenience, and in most cases, I think it should be offered for your consumers, but you’ll still need to think about traditional login and registration.

Multi-factor authentication (MFA) to the rescue!
Whether you call it multi-factor, two-step or two-factor authentication, it’s one of the easiest ways to boost security as you log in. And it’s starting to be prioritized by consumers. Just this week I came across another of several recent posts from non-identity professional friends on Instagram talking about two-step authentication.

Don’t take my word for it. Try it yourself. Ask your non-identity friends and family if they know what MFA is. Then ask if they know what OAuth—or any other identity term—is. I’ll bet MFA will win by a landslide.

Despite its added security, multi-factor authentication has some nuances you should know about. First, SMS (text message) and email MFA aren’t the most secure options. SMS one-time passwords (OTPs) can be fairly easily spoofed by methods like SIM swapping. Email OTPs typically lead back to the same username and password that could be compromised via phishing, brute force attacks or password reuse. The National Institute of Standards and Technology (NIST) and many others have recognized these flaws.

Additionally, using a clunky smartphone UI, or opening up another email tab, clicking a link, then opening a third tab back to the site you’re already on, isn’t the greatest user experience.

There’s a better way for MFA
There is another way to implement multi-factor authentication that’s both more secure and—if done correctly—more convenient: using push notifications from a mobile device. Unlike the phone numbers used for SMS messages, using push notifications allows you to rely on device secrets that don’t move from phone to phone and are much harder to spoof. Unfortunately, if you require your users to download a third-party mobile app specifically for MFA, that can take a pretty big toll on convenience. Most will not do it.

Instead, there are solutions that allow you to leverage your own mobile application for MFA.

Imagine these amazing customer experiences
Close your eyes for a second and imagine a few of these amazing customer identity experiences:

Scenario 1
Your customer goes in to buy something from you online. Maybe they make an unusually large purchase. They get a push notification from your application that says something like “Approve this purchase of $5,642.45 from X company?” Then, after a fingerprint or face scan, they can approve the purchase. No extra tabs, no copying an OTP, and by leveraging a trusted device instead of SMS or email, and you can rest easy knowing it’s actually your customer who made the large purchase.

Scenario 2
What about when someone calls your customer service phone number? Your customer service reps need to identify them. Usually they’ll ask something like “your mother’s maiden name,” which anyone can find easily enough with a few Google searches. Instead, what if your customer service rep could push a button and your app lit up on the consumer’s phone and said, “A customer service rep is trying to verify your identity,” and they could approve or deny the verification.


Scenario 3
Consider the dreaded password reset; there is no process consumers hate more. Imagine if they could click a button and instead of waiting on an email, opening new links, or otherwise going through a tedious process, a message popped up from your app on their phone or smartwatch that said, “Approve password reset?” Once they fingerprinted or face scanned their approval, a box appeared on the screen to have them enter their new password. That’s one-click password reset. I challenge you to try to reset your password on any site and count the clicks. It will likely be many more than one.

Killing the password—and username
You may be asking yourself, if you have a perfectly secure and convenient method of MFA, why do we need passwords at all? The short answer is you don’t need them. Of course, any additional authentication factor will add more security to the login experience, but if the second factor you’re using—such as push notifications from your mobile device—is more secure, making it the first factor is a legitimate alternative.

Features like QR code authentication can take passwordless authentication to a whole new level by removing the need for customers to remember which username they used when registering for your service. Check out this video that shows how cool and convenient QR code authentication can be.

The front door to your enterprise
User login is the front door to your enterprise. If you don’t get it right, your users will miss out on all the experiences behind it—and you may miss out on the revenue. There are some really amazing experiences out there that can be delivered to users during login and registration. Taking advantage of them can give you a competitive edge, add security, and make a great first impression, again and again, with your customers. That’s why identity’s corner of customer experience is so critical.

See more amazing experiences that can be provided by adding MFA to your own custom mobile app.