Join the event trusted by enterprise leaders for nearly two decades. VB Transform brings together the people building real enterprise AI strategy. Learn more
From passwords to passkeys to a veritable alphabet soup of other options — second-factor authentication (2FA)/one-time passwords (OTP), multi-factor authentication (MFA), single sign-on (SSO), silent network authentication (SNA) — when it comes to a preeminent or even preferred type of identity authentication, there is little consensus among businesses or customers.
What there is agreement on, however, is the necessity of these tools. The FIDO Alliance found that more than half of customers (53%) saw an increase in suspicious messages and online scams in 2024. This was largely driven through SMS, email and phone calls, and was only exacerbated by advancements in AI.
Even at a time when we continue to see staggering increases in fraud and related losses — the Federal Trade Commission received more than 1.1 million reports of identity theft last year alone — businesses must do their best to walk a tightrope between robust security and effortless convenience. Over-index on either and you risk alienating customers — too few hoops and you lose their trust, too many and you lose their patience.
So, how do businesses strike this fragile balance and implement effective authentication solutions?
The customer is always right
When it comes to authentication, what businesses decree to employees rarely translates to customers. We transitioned to WebAuthn as the only form of 2FA for employee authentication, a company-wide mandate that took a few weeks. This ‘forced adoption’ works when your employees don’t have a choice, but your customers do.
Recently, I wanted to book a hotel for my family vacation, so I went to my favorite travel site, found the perfect room at a reasonable rate, and went to finalize the transaction. One problem: I kept running into an issue with CAPTCHA on their page — once, twice. After the third attempt I left, found the same room at the same rate on their competitor’s site, and booked.
Businesses can dedicate massive budgets to top-of-funnel marketing that drive customers to their websites, products and services, but if friction in the user experience prevents conversion — authentication often as the initial touchpoint — it’s wasted investment. Forty percent of businesses say one of their most pressing challenges is finding a balance between security and customer experience, particularly reducing friction during account signup.
Customer behavior is hard to modify, particularly around the adoption of new technology. It doesn’t matter if biometrics or public-key cryptography are more secure, if it isn’t equally seamless to use, customer adoption will lag. Why do you think so many people still rely on easy-to-guess passwords (you know who you are!). The reality is you simply can’t force customer adoption — businesses that get authentication right recognize the needs and limitations of their customers, meet them where they’re comfortable and understand it can’t be one-size-fits-all.
A signal-driven future
In this fray over friction versus freedom, the future of authentication will be driven by continuous signals rather than arbitrary identity check points like logins or purchases. Think of authentication as a brake system, where businesses can depress or release the pedal to increase or decrease friction based on customer behaviors.
Let’s say I receive a promotion for 20% off new tires from my regular auto shop. If I click on the notification, I’d expect a seamless login experience — they sent me the message, I’m a long-time customer and I’m using their application from a known device. But let’s say I travel to Kansas City for work. If I open my laptop and I’m still logged into my favorite e-commerce platform, I’d expect them to log me out or require proof of identity to continue the session, as I’m in a completely different location based on previous purchase history.
Think of the ecosystem of applications — shopping, email, social media, home security, streaming services — where we log in once and rarely (if ever) log out. What happens if your device is lost or stolen or your session is hijacked? Businesses must embrace a zero-trust mindset, where authentication isn’t simply to show your identification at the door then you’re free to roam the club, but a continuous risk-based process that scales friction based on your activity.
The wrinkle here, like so many sectors right now, is AI. Earlier in my career, I built bot detection models for a startup to distinguish human behaviors from machines. We’d monitor how many clicks we’d get from the IP and user agent string and if it was more than N in a second then we’d assume it was a bot and block that traffic. But now, as we pass the reins to AI assistants and autonomous agents to make dinner reservations, set appointments or purchase movie tickets, how do you distinguish between a nefarious bot or one working on your behalf? This is the future of authentication and the bleeding-edge work enterprises in the industry continue to pioneer.
Authentication: An ‘and’ not ‘or’ proposition
Despite new authentication methods in perpetual development and an ascension of regional requirements like Singapore’s Singpass or the EU’s Digital Identity Wallet, no single tool will ever own complete market share — some customers will always prefer the simplicity of options like OTP, while others will demand the stringency of passkeys or other modern tools.
The onus will remain on businesses to provide a breadth of choices to meet customers where they are and implement strategies to keep the root of each method secure from smishing/phishing, social engineering or a plentitude of other identity-based attacks. This authentication tug-of-war between friction and freedom won’t be won by those who prioritize one or the other, but those who can walk the tightrope between both to guide their customers to seamless yet secure experiences.
Anurag Dodeja is head of product, user authentication and identity at Twilio.
