5 Key Considerations When Securing Online Customer Accounts
Securing your customers’ accounts with a only password is no longer good enough. The answers to the following five questions will help you choose the best approach to keeping your customers’ accounts, and their data, protected.Learn More
5 Key Considerations When Securing Online Customer Accounts
Customer trust is vital to the success of your business. Your goal is to allow new customers to quickly create accounts and get them using your products fast. Typically you collect some sort of personal information, such as an email address, phone number or date of birth and social security numbers. Then, over time, a relationship forms as customers invest in your business, be it depositing money into an online bank account, creating engaging videos in your online streaming service, or uploading valuable business data. Protecting that relationship is crucial. But when it comes to fighting against the modern tools of criminal hackers, securing your customer’s accounts using only a password is just not good enough to maintaining customer trust.
Ask yourself the following five questions as you consider the best approaches to keeping your customer's accounts, and their data, protected.
How do I ensure that new signups for my service are from real people and not generated by some automated spambot?
Before investing in securing accounts, it’s wise to be certain that those accounts are worth protecting in the first place. Your business value will decrease if it’s full of fake accounts spreading spam and trolling your legitimate customers. Even worse are accounts created for the sole purpose of impersonating others.
- First, it’s very important to have visibility into your signup flow. Make sure every step is orchestrated so you can analyze not only the conversion but also identify potential bot behavior.
- Consider using reCAPTCHA to prevent robots from filling out forms. It’s free from Google, and the latest versions can be implemented with minimal user impact.
- Avoid relying solely on emails to verify if new accounts are tied to real people. Instead, verify a phone number — something that's much harder to fake.
If relying on passwords is no longer adequate, how do I improve account security for my customers?
Data breaches seem to be happening round-the-clock these days, exposing all sorts of customer data to the internet and rendering it completely ineffective for businesses to rely on just a password at login. If your customer's login information has been disclosed, even if it was from a site other than yours, it can have negative ramifications for your business. Therefore you need to add something else to the authentication process to ensure your applications are accepting logins from the right person.
- The quickest way to achieve stronger authentication is by sending a One Time Passcode (OTP) to the user via SMS. The vast majority of your customers will have access to a text-enabled phone, but in the instances they do not, OTP codes can be delivered via a voice call.
- While SMS is an easy way to get 2FA implemented, the best user experience, and a more secure solution, is push authentication. You can deliver push-based 2FA using a pre-built mobile app like Authy or build it into your own mobile app using SDKs.
- While passwords are not ideal, they are not going away anytime soon. To make your customers lives easier, ensure you have a sensible and secure password policy in place.
- Also, to better secure the use of a password, when your customer provides one check it against Troy Hunt’s Pwned Password API.
How do I secure high-value, in-application transactions?
Just because a user has signed in once, it doesn’t mean it’s OK to drop your security guard. If you allow users to perform high-value transactions, such as large money transfers or the deletion of mass amounts of data, you need to protect them. Threats to your customers should be addressed at all points of their interaction with your business.
- The same authentication methods used for login can apply to high-value transactions in an application. Consider re-asking for a password, or sending a One Time Passcode via SMS before approving a transaction.
- It doesn’t always make sense to authorize every transaction, so only require re-authentication when the value of the transaction is over a certain threshold or is one of high risk.
- The speed of response is key to providing a good user experience. So once again, look to push authentications to provide the quickest and easiest user experience.
How much time and effort should I spend on supporting users who lose passwords or devices?
No matter how well you design the signup and login experience, users will forget passwords and lose their phones. This results in the need to recover access and is often an area of your business that doesn’t get the attention it deserves. An imperfect process will frustrate customers and likely be insecure, allowing an easy backdoor for hackers. If you make the process too strict it can place a burden on the support teams trying to help customers regain account access.
- Do everything you can to automate the process. There are high costs associated with customers having to call your support agents to regain access. Self-service allows for a quicker and better experience.
- Don’t confirm if an account exists when someone starts the recovery process. Always have the same response even if the user enters an account name that you don’t recognize. Just leaking the fact that a user has an account, and what the account name is, can compromise your customer’s privacy.
- The most common method for self-service password reset is sending a reset link via email. However, a user's email is usually the first thing to be compromised as part of an account takeover, so it's often preferable to send the reset link via SMS instead, as it’s a lot harder to intercept.
How much do I really know about the user accessing my business?
Just accepting a username and password for each login is relying on only a few small pieces of information. Wouldn’t it make sense to know as much as possible about the user to ensure they are legitimate? Where possible, get context about the signup, authentication, or authorization. Identify the device they are on and the browser they are using. What network are they connected to? IP address? What are their normal login behaviors? Is it normal for them to access your business at 3 am? Use this context to make a risk-based decision that either increases the security of a specific action or reduces the impact of security by avoiding certain steps for low-risk activity.
- Start by adding trusted browsers or devices into your authentication flow. If you’ve used strong authentication (i.e., two-factor authentication), remember the browser and device combination, sometimes called device fingerprinting. This allows you not to have to ask the user to go through strong authentication every time.
- If you are using a phone number as part of the user's identity, consider using phone number lookup services to get data on the user to validate their identity. Also, if their phone number has changed (such as the carrier or if they’ve recently changed the SIM card), it’s an indication they might be under attack.
- If any of the attributes you collect don’t match the user's history, the risk is increased, and you should take steps to increase authentication or even re-verify the user.
Building Better Security
The Twilio Authy API, combined with our free Authy 2FA app, offers security that goes beyond standard password protection. Some clients opt for the Authy SDK to embed 2FA directly into existing apps. Twilio provides both with easy enrollment, edge case coverage, and 24/7 user support. Plus, regular upgrades make our security solutions uniquely sticky. Your users will not only appreciate the extra level of security offered; they'll have fewer reasons to take their business elsewhere.