Security Step-Ups

Related Prototypes: Lemonade Stand / Customer Journey Study
  1. Overview
  2. Ideal Flow Demo
  3. Type of Step ups
  4. Guidelines

Overview

Throughout the course of normal use, a user's trust scoreInstead of logged-in vs logged-out, the user gets a rating of how "authentic" they are at any given time. NuData will periodically fall below an acceptable level for authentication. If they are trying to log in or authenticate during a checkout, they will be prompted to provide more data to authenticate with. This prompt is called a step upA step up is a prompt for the user to provide another data point, or factor, for added security. NuData.


Reinforcing Security

Security Step-Ups through a step-up does add an extra step in the checkout process. Becuase it adds more friction, it can make people feel slightly hindered, but also safer. Periodic step ups, even without a security need can reassure users that "someone is watching out for them"

Ideal Flow Demo


Types of step ups

Types of step ups include ones we've all seen before: security questions, a code sent to your email or phone, or more recently, ‘one button authentication'.
Example of One-Button Authentication How to Set Up Google’s New Code-Less Two-Factor Authentication

Two uncommon ones as a possibility for more data collection and engaging integrations:

Picture-based passwords
Eye tracking
Donut Circling
Star Drawing
Swipe through Images

Your browser does not support HTML5 video.

Additional research on picture-based passwords

Guidelines

01.Play off current mental models

People feel more secure if its something similar to what they currently use (like 2FA SMS)

[On email step-up] “It noticed the change. [I] feel even better about the process.”Customer Journey Study “I liked PIN and phone tap because it's more like how it works today.”Coffee Shop
Do Design step ups that are similar to experiences users already perceive as secure

Users also compared some step ups to captchas, and sometimes thought that the security aspect was more focused on identifying if they are a robot, rather than identifying them as a specific user.

“I think it is a Captcha type of thing, they are verifying you are a human. I find it annoying. Why is it happening?”Customer Journey Study
Don't Don't design step ups that do not inherently communicate security (like CAPTCHA)

02.Be careful with words

Users don’t need to know exactly why they’re going through a step up

“I'd be happy that you're being protective, but tracking my behavior? To heck with you!”Customer Journey Study
Do Efficiently communicate what needs to be done.
Don't Feel the need to communicate exactly why the step up is being shown

03.Design an exit strategy

Sometimes, users are unable to navigate through a step up and the system should revert to a recovery scenario

Do Allow user to exit.
Don't Provide no clear exit.

04.Tell, and tell again

Provide messaging repetitively throughout the customer journey

Step Ups are a necessary break in the checkout flow. This can provide an opportunity for re-education, and reinforcement of the secure nature of the system.

05.Friction reinforces security

Some friction in the payment process may be preferable as it creates a sense of security

When experiencing something new, people like to fall back on what they know. Leverage existing mental models and design experiences that are similar to what users already perceive as secure.