The Future of Authentication
Reimagining security while streamlining the payment experience
COMPANY
Mastercard, CMU Capstone Project
TEAM
Grace Guo, Scott Leinweber, Aroon Mathai, Xueting Zhang, Zohaib Khan
ROLE
Team Lead, Project Manager, UX Designer
TOOLS
Origami, HTML/CSS/JS, Sketch
DURATION
7 Months
THE OPPORTUNITY
The current user experience for authentication is terrible. Technology on the horizon can help make authentication more secure and convenient. But what will the UX look like?
THE OUTCOME
Created a website with UX guidelines for Continuous Authentication that Mastercard can use internally and provide to their largest clients.
SKILLS
Contextual Inquiry
Research Methods (Pager Study)
High Fidelity Prototyping
Product Management
Sprint Methodology
Passwords are terrible.
We forget them, have too few or too many, and we’re constantly under threat of them being compromised. We buy a lot of stuff online, and credit cards, while they work fairly well in physical stores, aren’t particularly well suited to online transactions (hence the rise of Paypal and more recently, Apple Pay).
There are two aspects of digital payments where there is a need for massive improvement - better, more secure ways of identifying you are you, and a hassle-free payment experience.
Security
16.8 billion dollars were stolen from US consumers in 2017. (Business Wire)
Account takeover fraud numbers tripled. Online fraud is 81% more prevalent than in-store fraud (Javelin Strategy)
Convenience
Due to friction in the checkout process online, approximately 70% of online shopping carts are abandoned. (Baymard Institute, Shopify)
The issue is even more pressing on mobile - while 30% of carts result in an order on desktop, only 19% of carts result in an order on smartphones. (Adobe Digital Insights)
How can we alleviate these security concerns for people, and simultaneously deliver a seamless checkout experience?
Continuous Authentication
A short video we created to explain to users what Continuous Authentication is prior to select user tests.
Continuous Authentication is a new paradigm of authentication that is more secure and more convenient than current methods. After seven months of human-centered user experience research, our team defines Continuous Authentication as a system that verifies who you are, whenever you need it, without you thinking about it.
This system takes a wide variety of user data, from device data, to active and passive biometrics, to identity a cardholder at anytime required. For the user, the benefits are twofold: Security and Convenience. It identifies them without them thinking about (or fetching their card), and protects their identity and data more securely than traditional means.
Current online logins and credit card purchases only require a couple of factors. This approach, called multi-factor authentication, often is posited as "pick two of three." The three common types of factors are "something you have" (ID card or token), "something you know" (passphrase or security question), and "something you are" (fingerprint or other biometrics). An authentication system is more secure if it comprises of more layers (or factors) of security.
Continuous Authentication does not limit itself to a few binary factors, but rather can use 40 to 50 factors at a time to provide a "trust score" of how authentic a cardholder is at any given time. In this model authentication becomes a gradient, not just binary. Depending on how high the trust score is (often depicted as a percentage), the user may be able to do a variety of activities. A cardholder with a moderately high score could possibly check their balance, but require a higher score to withdraw or make a payment.
DESIGN GUIDELINES FOR CA
To help make this vision a reality in the near future, our efforts have crystallized into a set of UX guidelines. These guidelines have been presented in website form, and are for anyone at Mastercard, but specifically designers and product owners to reference.
PROTOTYPES
One of our earliest prototypes investigated a game for users to play to fill out their profile data. We tested different ways to incentivize users to provide data for the system to work.
-
How do people respond to being asked to provide their personal data?
-
How can we succinctly convey the value of Continuous Authentication to the average person?
-
Can "logging in" be playful or fun?
Research Questions
These avatar storyboards imagine a scenario where your credit card is so highly attuned to your mobile device, than handing your phone to someone else immediately shifts the payers identity to the person holding the phone.
-
How can we best demonstrate how Continuous Authentication works and its value?
-
How do people respond to being asked to provide their personal data?
-
In a physical space, how can this technology be more convenient than Apple Pay, or even just using your card?
Research Questions
Version 1
Version 2
To start ideating how users would onboard and opt-in to a Continuous Authentication service, we created a few onboarding experiences. This one is effectively a microsite for a fictional Mastercard Instant Checkout service. Users can learn about and sign up for it here.
Research Questions
-
How do we demonstrate how Continuous Authentication works?
-
How do people respond to being asked to provide their personal data?
-
How much do people want to see the details of background data collection?
-
Do they perceive background data collection as creepy? Trustworthy? Transparent?
-
Is transparency a requirement for trusting the system?
Similar to the last prototype, this one ideates how users could onboard as well as use a Mastercard Instant Checkout service on a small business webshop. Messaging, graphics, and UI elements varied here.
Research Questions
-
How much background should be shown during a checkout session?
-
How can we build trust in a Continuous Authentication interface?
We tested 6 different versions.
inVision links:
To branch into a physical experience, we set up a lemonade stand on the street. Visitors used a credit card on a POS tablet, and their personal details were filled out - magically! We mainly were testing perceptions around facial recognition and using it in a public space.
Research Questions
-
How do people actually feel about their face being recorded in a physical store?
-
What should the recovery experience be at a physical POS?
To piggyback off the lemonade stand, we broadened our reach into a number of different interactions that could identify a customer at a point-of-sale in a store. We simulated a cafe setting with 5 different types of interactions to test. Long story short - credit cards are actually really convenient!
Research Questions
-
In a brick-and-mortar store, how can you identify the next customer in queue?
-
What's the preferred step-up experience in a physical store?
-
Can Continuous Authentication work currently without buying new POS hardware?
-
Who can loyalty and pre-order apps (Starbucks) be used with Continuous Authentication?
-
With Continuous Authentication, how can the payment experience disappear without startling customers?
Iteratively over many weeks we honed an onboarding flow using a card issuer's mobile app. This made sense as many users already have mobile bank apps to check their balance, and could easily learn about and opt-in here.
Research Questions
-
How do we communicate what Continuous Authentication is, how it works, and what value it provides?
-
What level of control fidelity do people want to see while onboarding?
-
Is security or convenience more valuable to customers while learning about it?
While still investigating merchant adoption and integrations, we tested a number of options using a Pizza Hut mobile site. Onboarding was also tested here, possibly users could learn about or opt-in while buying something online.
Research Questions
-
Are merchant sites a reasonable context to opt-in interested customers?
-
Which do customers respond best to - convenience or security?
-
Which types of UI elements seem to convey security the most?
-
Where in a checkout flow is a reasonable spot to advertise this new service?
To study how users would react to Continuous Authentication features overtime, like personal data being autofilled, and various types of step-ups, we embarked on our largest and most intensive study. This study took 20 users through various customer journeys over the course of eight days.
Research Questions
-
What is the customer journey...
-
...for multiple step-ups?
-
...for the first purchase, and Nth purchase?
-
...between onboarding and the first purchase?
-
...as people stop using passwords gradually?
-
...from a web session point-of-view?
-
-
Do we need to explain what CA is?
-
How do users react to a profile being created of them without their consent?
NEXT STEPS
Continuous Authentication is on the horizon. Its precursor, risk-based authentication, is already helping consumer security while aiming to keep the payment experience seamless (as seen with 3-D Secure 2.0).
Questions left to explore
DESIGNING FOR ACCESSIBILITY We didn't explore how Continuous Authentication profile creation is affected by people with disabilities (that was out of scope for our project). As a technology that has the potential to impact millions of people with disabilities worldwide, designing for accessibility is a critical next step.
SHARED DEVICES/ACCOUNTS Many parents allow their children to use their credit card for specific situations. Other times, multiple family members or friends may use the same laptop, or even smartphone. How would Continuous Authentication work for scenarios like these?
GDPR AND DISCLOSURE General Data Protection Regulation is a regulation which became applicable throughout the EU in 2018, increasing consumer protections against their personal data being misused. It has been on every single technology company's radar since 2016, and is the reason for the dozens, if not hundreds, of privacy policy update notices you may have received emails for. It gives people control over their personal data to a much greater degree than residents of the US. How different would the on-boarding and data collection phases of Continuous Authentication be under GDPR, versus in the US or China? We have findings related to this topic, but have more questions to answer.
PHYSICAL SPACES We did extensive prototyping and user testing to attempt to design for what the future of payments could look like in a physical space, using Continuous Authentication. A big constraint was that merchants should not have to buy additional hardware to make our solutions work (since that is how past experiments, like Google Hands Free, failed). What we found was that credit cards, especially the chip-and-PIN kind, work very well and we could not design a solution that worked better while meeting the constraint. However, this is an area that needs to be explored further.