Continuous Authentication



A secure and convenient authentication system for a world with no passwords!

Summary

This project was sponsored by Mastercard. We consolidated 8 months of UX Research and design into a UX Guidelines website for Designers, Developers and other internal stakeholders at Mastercard to use as a reference before integrating Continuous Authentication into existing or new products.




Team

Grace Guo, Zohaib Khan, Scott Leinweber, Aroon Mathai, Xueting "Nika" Zhang



Duration

8 months (January 2018 - August 2018)


Role

Led 1-2 week sprints (using Agile methodologies) through which my team and I designed 9 prototypes, testing and validating each through multiple iterations of user tests. Also, worked on market sizing, user story prioritization, defining success metrics and building a product roadmap.


Skills

Scrum, Agile, Jira, Java, C++, C sharp, Swift, Go, PHP, HTML, CSS, JavaScript, SQL, Unity3D, Github, SVN



Final Deliverable: UX Guidelines for Continuous Authentication →


The Problem

The Convenience-Security Paradox

Traditional authentication system such as passwords, 4 digit pins and security questions to name a few are secure but they aren't convenient. All of us memorize several passwords only to forget them when you need them the most! As a fix, we sometimes use systems like Captcha and Security Questions but the problem with these systems are they are nowhere near as secure as less convenient systems.

The Convenience-Security Paradox


The Solution

Continuous Authentication

We, Team Mastercard, define Continuous Authentication as "a system that verifies who you are, whenever you need it, without you thinking about it."

Continuous Authentication uses an individual's information (factors) to identify them. This information ranges from traditional factors such as location data and biometric data to less common factors such as typing patterns (the way you type, how fast you type, etc.), sensor data (at what angle from the ground do you hold your phone generally). Using all this data, the system can identify you at any point in time. The moment you open Facebook, for example, your system will know it's you. You won't have to login and enter your password to prove that it's you!

While this is clearly more convenient, it is more secure too! The more factors that the system uses the more secure you are. Traditional secure systems use a maximum of 2 factors. Continuous Authentication can use up to 40 factors!

Continuous Authentication can use up to 40 factors to authenticate you



Opportunity Space

Mastercard recently acquired a company, NuData Security that has the technology necessary to implement Continuous Authentication.

Stakeholders involved


Increased security in the authentication space can help solve real world issues, critical to different stakeholders like Banks, Merchants, Customers and Mastercard.

  1. In the past six years, USD 112 billion has been stolen through identity fraud.
  2. About $118 billion in transactions are wrongly declined per year.


However

As great as this might sound on paper, people were uncomfortable with this system. Some people even found it invasive. Most people were not willing to provide all this data!

The Convenience-Security Paradox


Ideal Customer Journey

Our Persona - Mia Wallace

1. First Exposure

While on the subway, Mia gets a message from her bank informing her of a new service, Continuous Authentication. Mia goes through the in-app on-boarding and signs up. She gives permission to the service to collect data necessary for it to work effectively.

First Exposure and Onboarding


2. Profile Creation

Mia continues to use her devices as usual. In the background, the app gradually learns her behavior patterns and its many nuances. It uses this information to create a virtual profile of her, that becomes more and more detailed over time.

Profile Formation


3. Ideal Checkout Flow

Once the system is confident that it can recognize Mia through her behavior, it authenticates her by itself. If she's on Facebook, it logs in for her. If she's shopping on Amazon, it fills in her details for her with high accuracy all the time.

Ideal Checkout Flow


4. Security Step-Up

However, there might be the rare occasion when the system is unable to recognize Mia. She might have bought a new device, or out of the country or maybe she's even being hacked! At this point, the system immediately steps up and asks for a traditional form of authentication like a password.

Step-Up Experience


User-Centered Research

Our final deliverable was and all of our decisions throughout the project was informed by users. We interviewed customers, merchants, academic experts and industry experts.

46
Guerrilla Research Participants
11
Merchants
27
Academic and Industry Experts
47
Users

We tested and validated our hypothesis with the help of 9 prototypes ranging from low-fidelity mocks to hi-fidelity mocks to technical prototypes.


All 9 prototypes can be found here →



The Pager Study

To understand what is the best way to introduce Continuous Authentication to users without it appearing to be creepy or invasive, we conducted an extensive pager study with 20 participants over the course of 8 days.

20
Users
8
Days

We provided each user a credit card, with unique information. Each user browsed through one of 4 prototype websites we created every day, performed an action on the website and filled out a survey that contained questions regarding their experience and sentiment towards the website.

Users browsing through a website using custom card

The three big questions we wanted answered were:

  1. How do users feel, being monitored by the Continuous Authentication system?
  2. What is the best way to introduce Continuous Authentication to users? Do we not tell them anything? Do we keep them informed as much as possible?
  3. What is the best step-up experience, in case something goes wrong?


To answer these questions we split our users into 4 buckets. Users in each bucket would experience Continuous Authentication in different ways! The 4 buckets were:

The 4-Bucket plan for the Pager Study

  1. Bucket 1: No explanation or on-boarding is provided. Users have no control over what data is being collected
  2. Bucket 2: Minimum explanation is provided. Users are informed of the Continuous Authentication system and can opt-in
  3. Bucket 2: Minimum explanation is provided. Users experience the Continuous Authentication system and can opt-out
  4. Bucket 4: Extensive explanation and on-boarding is provided. Users have full control over what data is being collected

Affinity Analysis on Pager Study notes

Affinity Grouping on Pager Study notes based on changing user emotion along the journey



The Emoji Graph

One very blatant finding was that users experienced and expressed a variety of very different emotions throughout the study. These emotions were more or less the same amongst users within the same bucket. We decided to plot it in the form of an emotion-cloud, across time to make more sense out of it.

The Emoji Graph depicting user emotion across 8 days



Result

Out of all buckets, users in bucket 3 seemed to have enjoyed their experience the most relative to other buckets. These users experienced the convenience of Continuous Authentication and grew more and more used to it. However what made their experience better than users in other buckets was that they were given control to opt out of the service any time they wanted!


UX Guidelines


Phase 1 - First Exposure

Communicate value instead of technical details

Instead of explaining why different types of data are being collected, explain in simple terms the benefit users will experience.

For example, by adopting Continuous Authentication, parents will not have to worry about children making online purchases without prior permission.

Learn more →

Educate and Re-Educate


Users rarely read!

Continuous Authentication as a concept takes a long time for users to intuitively understand. So messaging should be repeatedly conveyed in different ways, both through copywriting and UI micro-interactions.


Learn more →

Leverage existing security mental models

Users liked to see how their decisions while opting-in to various types of data collection affected their security.

For example, a Weak-Medium-Strong progress bar, much like you may find while creating a password, to show how strong or weak their profile may be based on the data they're providing. Small micro-interactions like this can reinforce messages that slip through the cracks.

Learn more →

Allow users to opt-out


Although all users may get some type of Continuous Authentication rolled out to them, they should still be given the option to opt-out or reduce its impact on their sense of privacy.

While it may not be legally required in some markets, user sentiment was higher when given the option to control their participation. See User Control, Consent, and Autonomy.


Learn more →

Make defaults secure and convenient

People don't want to think about security!

Many people will click through any messaging and ignore options for opt-in or opt-out. These users are busy, but should have a thoughtful experience too. In this way, consent can be assumed, as long as the new experience is perceptibly more valuable to them than the previous method.

Learn more →


Phase 2 - Profile Forming

Provide transparency during profile formation

While we simulated GDPR and non-GDPR customer journeys, both enjoyed having some control over their profile creation phase. While this may be highly varied among market and product, transparency during the early stages is preferred.

Learn more →


Ideal Checkout Flow

Reduce cognitive load

An ideal convenient checkout experience should require minimal user attention.

"When I think about payments, I don't want to think about payments."Avatar Game
Learn more →

Celebrate convenience

Using a green check-mark or language like "you saved 3 minutes checking out!" to celebrate a convenient checkout.

Don't just explain how convenient the service is. It's hard for users to imagine how a new technology will work without experiencing it.

Learn more →

Rules of thumb, or heuristics, are powerful tools

Using pre-existing UI elements and content design is comforting to users, and enhances the experience as it reinforces their current mental model.

"The green check make me feel happy. It told me I'm verified. It reassures me that everything is working great." Mobile Checkout
Learn more →

Language is key

Some phrases can make people feel secure while others triggers nervousness.

Like UI elements, even text does very well, even if not read closely. A "Data is encrypted" phrase and a link to the Privacy Policy - even if it wasn't clicked on, made people feel much more secure. Just having a link to a Privacy Policy made the site feel safer for some.

Learn more →

UI elements should convey security

Small UI elements and micro interactions can make a page feel much more secure

"Check boxes help me know that I have to acknowledge and accept what I'm agreeing to…"MC Onboarding



Learn more →


Security Step-Ups

Design an exit strategy

Sometimes, users are unable to navigate through a step up and the system should revert to a recovery scenario.

Users should always be aware as to why the security step-up was triggered.



Learn more →

Friction reinforces security

Some friction in the payment process may be preferable as it creates a sense of security

When experiencing something new, people like to fall back on what they know. Leverage existing mental models and design experiences that are similar to what users already perceive as secure.

Learn more →

Final Thoughts


Continuous Authentication and Accessibility

One research question that was very important to the team but one that we were not able to work on, was how does Continuous Authentication work for users who might not be able to provide user data.

Intuitively, we believe there might be a lot of similarities to the way Continuous Authentication is implemented in countries governed by tight data privacy policies. Any Continuous Authentication product will have to be custom tailored from cultural and societal standpoints as well.

In our Customer Journey Study we simulated streams in a GDPR and non-GDPR context. The GDPR sequence requires much more granular consent and permissions from the user, while the rest of the markets would need fewer permissions. However, it still is better for the user to tell them about what will be collected and let them decide if they want to be party to the service.


Product Roadmap

5 Year Product Roadmap for Continuous Authentication



Measuring Success

These are some metrics that would define whether the product is a success or not. Users can be categorized into different segments - customers, merchants and banks.


Acquisition metrics

  1. Number of users that adopt Continuous Authentication.
  2. Number of new Mastercard users

Activation metrics

  1. Number of users that complete onboarding
  2. Number of users that have weak profiles, by providing less than average amounts of data
  3. Number of users that have weak profiles, by providing average amount of data
  4. Number of users that have weak profiles, by providing more than average amounts of data
  5. Number of users that experience a step-up

Engagement metrics

  1. Churn rate (Number of users that opt-out)
  2. Customer satisfaction metrics, NPS scores
  3. Number of users that have weak profiles, by providing average amount of data
  4. Number of users that have weak profiles, by providing more than average amounts of data

Monetization metrics

  1. Number of False Declines per unit time
  2. Net loss due to Identity Theft
          

© Aroon Philip Mathai 🐶