A secure and convenient authentication system for a world with no passwords!
This project was sponsored by Mastercard. We consolidated 8 months of UX Research and design into a UX Guidelines website for Designers, Developers and other internal stakeholders at Mastercard to use as a reference before integrating Continuous Authentication into existing or new products.
Grace Guo, Zohaib Khan, Scott Leinweber, Aroon Mathai, Xueting "Nika" Zhang
8 months (January 2018 - August 2018)
Led 1-2 week sprints (using Agile methodologies) through which my team and I designed 9 prototypes, testing and validating each through multiple iterations of user tests. Also, worked on market sizing, user story prioritization, defining success metrics and building a product roadmap.
Traditional authentication system such as passwords, 4 digit pins and security questions to name a few are secure but they aren't convenient. All of us memorize several passwords only to forget them when you need them the most! As a fix, we sometimes use systems like Captcha and Security Questions but the problem with these systems are they are nowhere near as secure as less convenient systems.
The Convenience-Security Paradox
We, Team Mastercard, define Continuous Authentication as "a system that verifies who you are, whenever you need it, without you thinking about it."
Continuous Authentication uses an individual's information (factors) to identify them. This information ranges from traditional factors such as location data and biometric data to less common factors such as typing patterns (the way you type, how fast you type, etc.), sensor data (at what angle from the ground do you hold your phone generally). Using all this data, the system can identify you at any point in time. The moment you open Facebook, for example, your system will know it's you. You won't have to login and enter your password to prove that it's you!
While this is clearly more convenient, it is more secure too! The more factors that the system uses the more secure you are. Traditional secure systems use a maximum of 2 factors. Continuous Authentication can use up to 40 factors!
Continuous Authentication can use up to 40 factors to authenticate you
Mastercard recently acquired a company, NuData Security that has the technology necessary to implement Continuous Authentication.
Increased security in the authentication space can help solve real world issues, critical to different stakeholders like Banks, Merchants, Customers and Mastercard.
As great as this might sound on paper, people were uncomfortable with this system. Some people even found it invasive. Most people were not willing to provide all this data!
The Convenience-Security Paradox
Our Persona - Mia Wallace
While on the subway, Mia gets a message from her bank informing her of a new service, Continuous Authentication. Mia goes through the in-app on-boarding and signs up. She gives permission to the service to collect data necessary for it to work effectively.
First Exposure and Onboarding
Mia continues to use her devices as usual. In the background, the app gradually learns her behavior patterns and its many nuances. It uses this information to create a virtual profile of her, that becomes more and more detailed over time.
Once the system is confident that it can recognize Mia through her behavior, it authenticates her by itself. If she's on Facebook, it logs in for her. If she's shopping on Amazon, it fills in her details for her with high accuracy all the time.
Ideal Checkout Flow
However, there might be the rare occasion when the system is unable to recognize Mia. She might have bought a new device, or out of the country or maybe she's even being hacked! At this point, the system immediately steps up and asks for a traditional form of authentication like a password.
Our final deliverable was and all of our decisions throughout the project was informed by users. We interviewed customers, merchants, academic experts and industry experts.
We tested and validated our hypothesis with the help of 9 prototypes ranging from low-fidelity mocks to hi-fidelity mocks to technical prototypes.
To understand what is the best way to introduce Continuous Authentication to users without it appearing to be creepy or invasive, we conducted an extensive pager study with 20 participants over the course of 8 days.
We provided each user a credit card, with unique information. Each user browsed through one of 4 prototype websites we created every day, performed an action on the website and filled out a survey that contained questions regarding their experience and sentiment towards the website.
Users browsing through a website using custom card
The three big questions we wanted answered were:
To answer these questions we split our users into 4 buckets. Users in each bucket would experience Continuous Authentication in different ways! The 4 buckets were:
The 4-Bucket plan for the Pager Study
Affinity Analysis on Pager Study notes
Affinity Grouping on Pager Study notes based on changing user emotion along the journey
One very blatant finding was that users experienced and expressed a variety of very different emotions throughout the study. These emotions were more or less the same amongst users within the same bucket. We decided to plot it in the form of an emotion-cloud, across time to make more sense out of it.
The Emoji Graph depicting user emotion across 8 days
Out of all buckets, users in bucket 3 seemed to have enjoyed their experience the most relative to other buckets. These users experienced the convenience of Continuous Authentication and grew more and more used to it. However what made their experience better than users in other buckets was that they were given control to opt out of the service any time they wanted!
Instead of explaining why different types of data are being collected, explain in simple terms the benefit users will experience.
For example, by adopting Continuous Authentication, parents will not have to worry about children making online purchases without prior permission.Learn more →
Users rarely read!
Continuous Authentication as a concept takes a long time for users to intuitively understand. So messaging should be repeatedly conveyed in different ways, both through copywriting and UI micro-interactions.
Users liked to see how their decisions while opting-in to various types of data collection affected their security.
For example, a Weak-Medium-Strong progress bar, much like you may find while creating a password, to show how strong or weak their profile may be based on the data they're providing. Small micro-interactions like this can reinforce messages that slip through the cracks.Learn more →
Although all users may get some type of Continuous Authentication rolled out to them, they should still be given the option to opt-out or reduce its impact on their sense of privacy.
While it may not be legally required in some markets, user sentiment was higher when given the option to control their participation. See User Control, Consent, and Autonomy.
People don't want to think about security!
Many people will click through any messaging and ignore options for opt-in or opt-out. These users are busy, but should have a thoughtful experience too. In this way, consent can be assumed, as long as the new experience is perceptibly more valuable to them than the previous method.Learn more →
While we simulated GDPR and non-GDPR customer journeys, both enjoyed having some control over their profile creation phase. While this may be highly varied among market and product, transparency during the early stages is preferred.Learn more →
Using a green check-mark or language like "you saved 3 minutes checking out!" to celebrate a convenient checkout.
Don't just explain how convenient the service is. It's hard for users to imagine how a new technology will work without experiencing it.Learn more →
Using pre-existing UI elements and content design is comforting to users, and enhances the experience as it reinforces their current mental model.
"The green check make me feel happy. It told me I'm verified. It reassures me that everything is working great." Mobile CheckoutLearn more →
Some phrases can make people feel secure while others triggers nervousness.
Sometimes, users are unable to navigate through a step up and the system should revert to a recovery scenario.
Users should always be aware as to why the security step-up was triggered.
Some friction in the payment process may be preferable as it creates a sense of security
When experiencing something new, people like to fall back on what they know. Leverage existing mental models and design experiences that are similar to what users already perceive as secure.Learn more →
One research question that was very important to the team but one that we were not able to work on, was how does Continuous Authentication work for users who might not be able to provide user data.
Intuitively, we believe there might be a lot of similarities to the way Continuous Authentication is implemented in countries governed by tight data privacy policies. Any Continuous Authentication product will have to be custom tailored from cultural and societal standpoints as well.
In our Customer Journey Study we simulated streams in a GDPR and non-GDPR context. The GDPR sequence requires much more granular consent and permissions from the user, while the rest of the markets would need fewer permissions. However, it still is better for the user to tell them about what will be collected and let them decide if they want to be party to the service.
5 Year Product Roadmap for Continuous Authentication
These are some metrics that would define whether the product is a success or not. Users can be categorized into different segments - customers, merchants and banks.