Removing friction from authentication

Credential stuffing, whereby automated systems are used to access user accounts with stolen usernames and passwords, has exploded as cybercriminals have adopted increasingly intelligent and sophisticated methods to circumvent the traditional countermeasures deployed by organisations.

In particular, hackers are deepening their capabilities around imitating legitimate users. They use the same tools that users do, automating production browsers, such as Chrome, Firefox and Safari, and proxying through residential IP addresses.

By emulating human traffic and behaviour, they can bypass lower friction defences, multi-factor authentication, or MFA, gates and rate limits to takeover accounts, crack cards or steal data. Malware sits resident on victims’ computers, scraping their credentials and delivering them back to fraud marketplaces.

Intelligent phishing proxies, which seamlessly skin over a legitimate website and then intercept the traffic that goes through, are also on the rise. Users are fooled into thinking they are logging into their email account or online banking, as the web page looks the same, but meanwhile their credentials are being stolen by a cybercriminal. In response, organisations have been drastically stepping up their authentication layers.

“Five years ago, it was not uncommon to find that the only way an organisation was authenticating users was through a single login form on a webpage. Fraudsters had free rein passed that point,” says Jarrod Overson, director of engineering at Shape Security. “Now, MFA is commonplace, we’re seeing more magic links and then even past the first login gate, companies are increasingly risk-scoring each user’s behaviour to assess whether they need to be authenticated further.”

Security ≠ friction

While organisations have undoubtedly added more security to their authentication, they’ve also added more friction to the user experience. CAPTCHA tests (completely automated public Turing tests to tell computers and humans apart) are frequently derided on social media networks as a painful process for proving human identity, while even MFA causes a significant level of disruption to a customer journey, even more so if the user doesn’t have their smartphone to hand.

This additional friction comes at a time when IT, marketing and sales departments are already eroding the seamlessness of their digital channels, whether through pop-ups urging people to accept privacy policies, user session tracking or customer journey mapping. When companies then start to apply security on to those applications, it can easily feel like they are imposing a dramatic amount more friction than is necessary.

Organisations that add a lot of friction to mitigate fraud may incorrectly think they are improving security defences. Meanwhile, however, they are likely to be overlooking the downstream damage they’re causing to their customer experience. Too much friction can negatively impact account creation, logins and conversion rates. More worryingly, they’ll soon find their social media pages are being blighted by poor reviews that damage their brand and reputation, and ultimately soon their sales will be affected.

We’re showing through our solutions that authentication need not come at the expense of customer experience

“Companies need to architect a better balance between security and user experience,” says Overson. “Attackers have started with basic tools that did a simple job and have evolved over the last five years to more convincingly look generically human. Now they are moving towards more aggressively looking specifically human. As defences improved to block questionable behaviour, attackers responded by creating tools to exploit and imitate individual users with all their nuances.”

Shape Security, which protects more than one billion transactions per day from imitation attacks, leverages artificial intelligence and machine-learning to build security and anti-fraud solutions that are completely configurable to the customer application and attacker. This allows companies to reduce friction for their legitimate users while dynamically ramping it up for potentially bad traffic and even more aggressively for actual attackers.

“We’re showing through our solutions that authentication need not come at the expense of customer experience,” Overson concludes. “A combination of layered defences against attackers alongside positive rewards for legitimate users makes it easier to see how additional security can actually improve the overall experience.”

For more information please visit