Less Friction Creates more Customers

The fact is, huge amounts of effort is spent in designing customer journeys, however, much of this effort and cost can be wasted if the journey is too hard for the customer to engage. Front-end designers and business marketers are faced with a real issue. Brand reputation, customer confidence and compliance are all reasons why it is vitally important to know with exactly whom our websites are interacting. But determining who is actually interacting with our website can be an off-putting process for customers not wishing to deal with one-time passwords and multifactor authentication. So, how can engaging customer journeys be designed that provide confidence so we know with exactly whom we are interacting?

The first thing that must be said is that resources really must be protected with a good IAM solution, as well as strongly layered web architecture. This is where it is important to point out the difference between Authentication and Authorisation. Authentication, simply meaning, “I have confidence that I know with whom I am interacting”. Authorisation meaning that, “knowing with whom I am interacting, I will grant permission to carry out certain tasks and access certain resources”.

The important thing to consider is the concept of dynamic authorisation; this might mean if a user logs in every Friday from a recognised address and carries out a particular task, then, when we see this behaviour again, it is reasonable to assume they are who they purport to be. The implication here is the authentication level does not need to be overly complex, but in line with the risk posed by the task being executed. However, if the address from which the user is attempting access is abnormal, (say China) when the expected access attempt would be from London, then immediately further questions need to be asked to establish the true identity of the person (or bot) attempting access.

The other case that needs to be considered is, a user has started a journey, but they have either not logged in or they have only been granted restricted access. They then attempt to access a more precious resource. At which point their level of authorisation is insufficient. In security terms, this requires “Step Up” authentication, which will necessitate going through additional security flows, at which point multi-factor authentication can sensibly be introduced.

The implication for those designing user journeys is that it should be as easy as possible for. The customer to start their interaction; the “Friction“ of the transaction should be low. However, with good design, the customer is by this time invested in staying on the site and not abandoning what they are attempting.

There are several advantages to this approach;

1)   The design of the journey is separated from the security flows; therefore, journey designers and marketers don’t need to understand the security process.

2)   The security flows can be controlled dynamically, for example if there is a cyber event happening in the locale, the step-up security can be dynamically invoked based on rules.

3)   Users do not face off-putting security challenges until they are really necessary. Thereby encouraging greater engagement with the site.

With the use of modern Identity and Access Management systems, this type of dynamic approach to security is entirely possible with the use of a few add-ons. It does imply a clear and logical approach to structuring the different layers in the web architecture, although this is just good practice. Further, it the job of integrating add-ons is significantly eased by ensuring the use of standards throughout the stack.

www.ea-optimised.co.uk