CI Offers a Few Key Recommendations for Financial Institutions
Consumers want login security and convenience from websites and apps, repeatedly ranking these as top attributes in CI’s surveys and UX testing. But too often 2FA (two-factor authentication) challenges can become 2FA conundrums. As UX guru Jared Spool aptly explains, “If it’s not usable, it’s not secure.”
Below, we’ve gathered some best practices from our recent security-related research that should help firms balance login security with convenience.
Customers like control
When login security becomes too cumbersome, people find ways to circumvent it. In a recent survey, CI found that customers like having a sense of control over their security and the ability to customize security features—regardless of whether they actively customize their features. One of our recent brokerage reports (subscription required) found that to please and retain customers, firms should offer actionable security features that let customers feel as if they can strike their own balances between login security and convenience. Fidelity—the leading firm in the User Authentication subcategory of that report—stood out for its strong array of user-controlled security features, lending credence to the importance of variety.
Firms can educate consumers
Besides allowing customers to set their own security parameters, firms can communicate why providing personal information for security challenges directly benefits customers. Based on our recent research, CI recommends that firms state explicitly why information is being requested and how providing it will benefit the customer. Though some customers still fret over releasing their biometric data into the abyss, firms have the ability to alleviate some of these concerns. Firms should make data security assurances—when possible—to customers during setup.
Aside from education during setup, firms can also provide educational material during 2FA challenges themselves. In a recent CI benchmarking report, Chase stood out for providing FAQs as part of its 2FA challenge. The FAQs explain why the firm wants to verify the customer’s identity and how to use each security challenge. Similarly, Charles Schwab stood out for presenting a video that illustrates the reason behind the 2FA challenge, along with its own FAQ page. A recent CI survey revealed that most survey respondents view their financial institution as a partner in securing their accounts. Thus, financial institutions would be wise to make consumer education a priority, so customers understand why and how firms use their information during security checks.
Login options must be of both quality and quantity
While having a variety of 2FA options bodes well for convenience, firms cannot let security quality lapse. Of the top firms in the User Authentication category of the CI benchmarking assessment, none offer email as a 2FA option. Chase, for example, removed its email OTP option since the previous year’s report. The industry seems to be favoring authenticator apps and other, newer and more secure 2FA methods. To ameliorate the removal of certain previously favored methods, firms can offer customers a variety of modern and secure 2FA options. Even though some customers we surveyed dislike methods such as the hard token as “another thing to carry around,” there is no harm in offering an abundance of safe choices. A customer less inclined to carry a hard token may instead opt to download an authenticator app—the 2FA method survey respondents deemed the most secure—right to their smart device. More options make for more satisfied customers. What’s more, firms can offer soft tokens in conjunction with biometrics. In another security and authentication study this year, firms such as Fidelity and Charles Schwab stood out for allowing customers to use soft token login in conjunction with a biometric factor for an optimally secure user experience.
For more on user best practices in financial services, check out our Insights section. And learn more about CI’s benchmarking studies and industry landscape analysis services.