UX and Mobile User Authentication – Best Practices

When it comes to mobile authentication solutions, user experience and security are frequently pitted against each other.

However, it’s possible to have both — with the right setup. Let me talk you through both issues, as well as other important factors to consider when designing the best authentication user experience. 

When we talk about mobile authentication, as well as user authentication in general, something that always comes up is user experience — and no wonder, with all the research data on the influence of user experience on user adoption in recent years. 

Did you know that users who found authentication convenient used various digital services 10 to 20% more than those who were frustrated by it? That might not sound like much, but when I tell you that these customers were spending around 45% more than their counterparts, it’s easy to see the true value of frictionless authentication. 

However, as a result of this insight, app developers have started sacrificing security in favor of user experience — and suffice it to say, this shouldn’t be the case. The two go hand in hand. 

So, is there a way to have secure authentication that’s frictionless at the same time? Doesn’t security trump user experience? What would be the best user case, with the options currently available? 

The answers to those questions are: yes, sometimes, and it depends. 

Minimizing user action required is the priority for user experience

From what I’ve said above, you already know that user experience is the priority when it comes to authentication. Not only will users stop using your app if they’re dissatisfied with your UX, but they may go straight over to your competitor. In fact, 70% of users prefer an authentication method for its ease of use

In recent years, companies around the world have started to catch on. In the search for an authentication solution that’s both secure and has good UX, many apps have started using two-factor authentication or biometrics. While both of these are steps in the right direction, we are not quite there yet. 

The overwhelming majority of solutions still rely on SMS-2FA, a very convenient but outdated authentication method that can easily be hacked nowadays. Because every message or call uses a set of protocols that allow phone networks to exchange the information needed to pass on calls and text messages and ensure proper billing, the SMS OTP can be intercepted or rerouted, resulting in account take-over. And this has happened time and time again. 

On top of it, the user experience is just not that good. 

Biometrics, on the other hand, is where user experience shines brightest. 

It almost completely removes the need for user action, requiring only the touch of a finger or the look of an eye. The user is then authenticated within mere seconds. 

It’s not without faults, but as part of a larger multi-factor authentication system, and as far as great user experience goes, biometrics can be extremely useful. 

How appropriate biometrics may be as part of your solution all boils down to which (other) authentication factors your business individually will use to uphold the security principles of zero trust and continuous authentication — without deteriorating the user experience. 

To guide us in the right direction, let’s go through the relevant laws and regulations, another important factor to consider when designing your user authentication system. 

Staying compliant with potentially challenging laws and regulations 

Another important issue to think about when designing your authentication user experience is the laws and regulations you must comply with. 

Although it can be challenging to maintain favorable user experience while staying compliant, it’s nowhere near impossible — and more importantly, it’s in everyone’s best interest. 

PSD2 anyone? Among other requirements, the new Payment Services Directive calls for strong customer authentication. Strong customer authentication (SCA) is based on using at least two out of three essential authentication factors: something the user KNOWS, something the user IS, and something the user HAS. 

Another protocol that is expected to come into force is 3DS. While similar to PSD2 at its core, the goal is for it to be able to assess risk using more contextual factors, therefore minimizing user friction — which indicates that UX is something considered by parties involved on all levels. 

While it is predicted that once PSD2 is live the digital economy will suffer losses due touser friction, it’s all about choosing the right technology and trusting these regulations. Think of them as guides, rather than restrictions. 

So, what would compliance look like in practice? 

This will all depend on the context of your digital service, but let’s say you are in the fintech industry. One option would be for you to rely on biometric data stored on an individual user device for initial authentication (something the user is). In addition, IPification’s solution relies on mobile operator, SIM card, and device data running in the background, assessing the contextual risks and ensuring continuous authentication (something the user has).  

By now, you might already be getting an idea of what your authentication UX might look like. To finetune it, I’ll give you a couple of more issues to consider. 

Data privacy and secure authentication user experience

Once you’ve minimized the user action required and complied with various regulations, the journey of designing the best authentication user experience is far from over. We have to consider additional factors that also impact the user experience overall. 

In recent years, users have started to increasingly care about their data privacy. How you treat their data and how transparent you are with the process will greatly affect the user experience. 

When possible, it’s best to avoid collecting any sensitive data for your authentication process. Requesting it ruins the user experience and raises red flags that you will have to address, thereby lengthening the process, and retaining such data poses certain risks. 

Now we come to the final component of the authentication triptych — security. 

Although one could say that logically, security should be the main priority, we have seen that this isn’t the case today. One could also make a case that security should be the priority for incredibly sensitive apps such as banking apps, while UX takes the lead for entertainment. I’m here to say that we can have both UX and security, and value them equally. 

I strongly believe that having an efficient MFA system is the right way to go. This allows you to provide a frictionless user experience while providing the highest levels of security through various authentication, verification, and fraud prevention methods that cover each other’s weaknesses. 

Although superb when it comes to UX, biometrics can imply certain security issues. 

To start with, biometric hacking is neither impossible nor that expensive. For example, hacking a fingerprint can cost you less than $150. Then, as with any other technology, there’s error. 

Biometric technology typically produces two types of errors: Type I False Rejection that ruins the UX, and Type II False Acceptance that compromises security and privacy. If either of these errors were to happen, or even worse, if one of the authentication methods were to be compromised, the MFA system as a whole would ensure that the user session can continue. 

I’ve listed the authentication components that you should consider to enable the best authentication UX possible. Which methods you choose will be solely up to your and your individual case; I can only give recommendations for methods I wholeheartedly know are equal to the job.

IPification fits perfectly into MFA schemes. It relies on already existing mobile operator data to verify a user based on their SIM card, device, and other network data, requiring only one tap of a finger. While running in the background, it ensures continuous authentication. What’s more, it can be integrated within days. 

More on our blog