The behavioral economics of authentication

Organizations can now implement authentication technologies that improve security and user experience. Consumers just need some nudging to follow along.

9 screen locking device lock down authentication
Getty Images

A key strategic client of ours shared that their app suffered a material abandonment rate when they required their customers to implement strong passwords. Maybe this group doesn’t use a password manager. Maybe they got tired of the password-reset process. Whatever their reasons, these customers just abandoned the app, loyalty incentives and all.

The app-abandoning customers may not go to a competing brand immediately, but there’s a higher risk that they will find an easier, less-secure experience elsewhere.

That isn’t doing anyone any good. We – consumers and organizations – need to change our behavior. Organizations can now implement authentication technologies that improve security and user experience. Consumers just need some nudging to follow along.

Instead of pushing, nudge

In “Nudge: Improving Decisions About Health, Wealth, and Happiness,” Richard Thaler and Cass Sunstein described a method for altering people’s behavior by changing the way choices are presented – the choice architecture – in a predictable way without forbidding any options or significantly changing the incentive structure. Since consumers don’t want to sacrifice convenience for security in the authentication experience, let’s explore how we might apply the nudge at login.

First, let’s unpack the nudge’s characteristics. I’ll paraphrase from Karen Renaud and Verena Zimmermann’s paper “Ethical Guidelines for Nudging in Information Security and Privacy” A nudge must:

  1. Preserve all pre-nudge options. Otherwise, consumers will have no choice in the matter, and may opt out.
  2. Balance incentives. We can’t reward one choice or punish another.
  3. Allow for the prediction of the choice that consumers will make. The ‘choice architecture’ increases the chances that the consumer will choose the intended option.
  4. Benefit the consumer, as judged by the consumer him or herself.

In the decade since Nudge’s publication, substantial discussion has focused on who decides what’s best for the consumer. It’s impossible to know what all consumers will judge ‘beneficial.’ Sunstein addressed many categories of objections to this notion in his recent article, “Misconceptions about nudges”. He argues that people struggle to choose what’s most beneficial for themselves because they lack time or expertise or simply don’t want to choose. In those cases, “default rules” (e.g., strong authentication for our purposes) can be a blessing.

So, when should users be left to choose an authentication method, and when should a default choice be made for them? Sunstein offers:

A simple framework, on which much more would have to be said: Inquire into the costs of decisions and the costs of errors. That framework helps to explain and organize sensible intuitions about when a large menu is an excellent idea (because people like to choose, and because a default option would produce errors) and when it is a terrible blunder (because people do not wish to choose, and a default rule will serve them well enough).

In the case of stronger authentication, costs of decisions to users include time spent learning about, weighing and implementing an option (traditional two-factor authentication takes some tech savvy to set up). Potential costs of errors to users are much higher: account takeover, identity theft, financial loss, and so on.

Following this simple framework, I conclude that stronger authentication should be the default option. However, we know that a substantial portion of the end-user population will opt out if security comes at the cost of convenience. They want the best of both worlds. Now that modern authentication technologies can deliver, I believe it’s time for organizations to increase gradually the ‘force’ with which they nudge their users toward these superior authentication methods.

Nudge customers toward strong authentication slowly

The decades-long standoff between security and convenience has cultivated an almost fatalistic acceptance that one of the two qualities must come at the expense of the other.

In fact, I believe many consumers have learned to equate inconvenience with security. It may be reassuring to experience some friction. I believe we must re-educate this sizeable group, lest they abandon their accounts for competitors still using less-convenient and -secure authentication methods.

The change must be gradual. Organizations can start by segmenting authentication choices by risk level.

Adapt the authentication challenge to the situation

For low-risk actions, such as checking an account balance, where there's no opportunity for an attacker to make a financial transaction, a lightweight authentication experience may suffice. For example, it may be enough to inspect and confirm that the current user’s device has already been paired to the user’s account.

This exact scenario has become commonplace for banks. Their customers want to grant third-party budgeting software (e.g.,, Yodlee, and Intuit) read-only access to their bank accounts. In service to those customers’ desires, banks may decide to apply a mid-weight scheme, such as checking for a trusted, paired Bluetooth device, at the time of authorization.

Then there are higher-risk actions such as changing account information or making a financial transaction. Here, we’d need some kind of step-up authentication to verify the user, such as a behavioral biometric in the flow.

In all of these scenarios, it’s more convenient and secure to offer modern, multi-factor authentication options. You may decide to begin with the highest-risk scenarios, or the most convenient methods.

This gradual process will allow customers time to realize they can have greater security and convenience. As they do, expect them to begin nudging organizations for more; through their patronage and loyalty.

Copyright © 2018 IDG Communications, Inc.

The 10 most powerful cybersecurity companies