Strong Authentication without Sacrificing User Experience

Provide strong authentication without sacrificing customer experience.

Once dismissed as irrelevant in the internet age, privacy is now demanded online. Brands must now recognize that they must ensure their customer’s data is secure during every step of their interaction, from user registration to purchase transactions and beyond. But even with multiple authentication options, many brands are reluctant to implement strong authentication in their customer interaction fearing possible negative effects on user experience. 

In the early days of the Internet, privacy rarely made the list of user concerns. Now, the opposite is the case. High profile hacking cases such as the Equifax breach last year in which the personal information of 143 million people was stolen from the credit bureau have made consumers all too well aware of the dangers around their data online.

Within this wave of concern about privacy - which many would say is impossible without security - two-factor authentication has become a prominent and effective way to safeguard data. Requiring users to input a password, then have a code sent to an item they have, it has become so widespread that everyone from enterprises to schoolchildren are using it, illustrated recently when Teen Vogue cautioned readers to use two-factor authentication for social media accounts.

In practice, the system is simple. Along with a password, the user needs to prove that they have access to a trusted device such as a phone to log in. How to prove this? Getting a text message is the most universally used way.

Using Existing Tech

Brands realize the importance of strong authentication, but sometimes may hesitate to implement it due to concerns about user experience. However, phone-based authentication provides data security and privacy using what consumers already have — a phone — without needing to download an application.

When users log in to a site with their password, try to access their private data or make changes to their profile information, an automated system sends a passcode via text or phone call, which the user then inputs to complete their login. This is known as possession factor authentication because the credential is based on an item the user has with them — the smartphone receiving the message. Before sending the code the system performs phone verification to determine whether the phone number can receive text messages. If not, a voice call is made.

Securing Data Beyond the Password

Simple password authentication isn't enough to deter hackers, according to Andrei Vasilescu, CEO of, a membership-based discount site based in California. As demonstrated with the Yahoo data breach, hackers have proven time and again that they can decode most digital passwords within minutes, or acquire them through other means, he said.

Using two-factor authentication adds a layer of security to better ensure that the intended user is the only one able to use that login and is also fast — text messages can be sent instantaneously via an automated system, instead of the user waiting for an emailed code and having to open their inbox. In effect, the SMS requires no action by the user nor are they compelled to sift through different email accounts. This is a relief to busy users, Vasilescu said.

Additionally, two-factor authentication reassures users; they will receive a text message if someone tries to log into their account and they can quickly take precautions like changing their passwords to prevent hackers from accessing their data, he said.

Making Life Easier for Users

Phone-based authentication works well for customers who are not tech-savvy or comfortable downloading apps on their phones, said Uri Cusnir, vice president of research and development at Israeli startup MyPermissions, a customer privacy app developer.

The other, more difficult smartphone-based option is to use an authentication app, which requires installing and configuring the application on a smartphone. However, should a customer change phones, the app will likely need to be downloaded and configured again, which isn't the case with phone-based authentication. Additionally, many users don't want to use their storage space for another app, making them less likely to use the space for authentication.

“With phone-based authentication, the user only needs to have his phone number set in his profile, so when logging into an account, the website will deliver a text message with a short secret code, called One Time Passcode (OTP)," Cusnir noted. Another benefit is that the OTP is time based and the sender can set validity time as an added security.

What next for security?

Ultimately, what will detract more from the user experience is a data breach like the one in Equifax or a hacker using a program to decode passwords that results in unauthorized account access. Using phone-based authentication by sending a code via text is an added measure of security to protect customer accounts and one that allows the use of existing technology.

It's one more step that customers will need to log in, but it's a step that customers will appreciate since their data will be more secure and their user experience will remain unaffected.