It might come as a surprise, however, to realise that an important part of creating such an experience is the management of identity. If you get this wrong, you risk seriously damaging the customer’s perceptions and losing potential revenue to rivals.
The role of identity
When it comes to interacting with customers, identity sits at the heart of everything. Because interactions often involve the exchange of personal details and data such as credit card numbers, knowing who someone is vital.
A second reason is personalisation. Once you know who your customer is, it becomes much easier to create an individualised experience for them every time they visit your website.
For these reasons, the provision of a secure and reliable CX must require customers to log in. The challenge then becomes making that log-in process as painless as possible. So, how can this best be achieved?
Beyond the password
Since internet-based commerce first appeared in the 1990s, the default means of logging in to a website has involved using a password. Despite their well-known limitations, password-based log-ins remain one of the most widespread methods of establishing a user’s identity.
Various methods have been tried to make passwords more secure. Most organisations require them to be used in conjunction with another personal detail, such as an email address.
Some prevent the usage of easily guessable passwords, such as “password” or “12345”. Many require the use of capital letters, numbers and symbols which are much harder to crack. The downside is that complex passwords are harder to remember, resulting in more people having to request short-term access so they can be changed.
Even if an organisation develops the perfect password policy, it still doesn’t make things bulletproof. All it takes is for a consumer to reuse the same username and password on another, less secure site, or to fall victim to a phishing scam. Then all the hard work spent on password policy security is wasted.
MFA to the rescue
Multi-factor authentication (MFA) is one of the easiest ways to boost security during the log-in experience. As its usage spreads, it’s becoming much more acceptable to consumers as they go about their online lives.
However, despite its higher security, MFA has some features that need to be understood. First, SMS and email-based MFA are not the most secure options. SMS one-time passwords (OTPs) can be fairly easily spoofed by methods like mobile phone SIM swapping. Meanwhile, email OTPs typically lead back to the same username and password that could be compromised via phishing, brute force attacks or password reuse.
Also, using a clunky smartphone user interface, or having to open up another email tab, click a link, then open a third tab back to the site you’re already on, isn’t the best of user experiences.
Improving the experience
Thankfully, there is a better way to implement MFA that is both more secure and more convenient for customers. It involves using push notifications from a mobile device.
Unlike the phone numbers used for SMS messages, using push notifications allows an organisation to rely on device secrets that don’t move from phone to phone and are much harder to spoof.
Consider an example. A customer tries to buy something via your website that is of high value. As part of the purchase process they receive a push notification from your application that says “Approve this purchase of $4,642 from X company?” Then, after a fingerprint or face scan, they can approve the purchase. No extra tabs or copying of a one-time password is required. You’ve leveraged a trusted device instead of SMS or email.
Achieving frictionless CX
Having an easy-to-use login and ID process is critical in a world of online commerce. If you don’t get it right, customers will shy away from your business and spend their money elsewhere.
Taking the time now to design an elegant process that maintains security while also providing a great CX will ensure you are positioned to take advantage of future opportunities.
Ashley Diffey, country manager Australia, New Zealand and Japan, Ping Identity