Multi-Factor Authentication For E-Commerce Makes Sense—Or Does It?

Evan Schuman is a guest contributor to the Sift Science blog.

Fraud prevention has always been about striking the right compromise between convenience and security – and this is especially true in the world of e-commerce. Although multi-factor authentication will work wonderfully in banking and legal—where the end-user is just as worried about security as your CISO—in online retail, it’s dicey. People don’t typically visit an e-commerce site concerned about credit card fraud. Why make your virtual storefront more difficult to interact with than your competitors’?

I mention this because of some have recommended that users activate Amazon’s two-step verification system, presumably in response to Amazon account takeover attacks such as this one.

Let me be clear: There’s not any meaningful doubt that multi-factor authentication is more secure and better than less robust methods. Its definition alone establishes that. What I’m questioning is the wisdom of putting too much of the security onus on the shopper. You are certainly within your rights to do that—and it’s also in the shopper’s long-term best interest. But doing so could increase your site’s perceived hassle factor. And that’s something you want to consider very cautiously.

Avoid unnecessary authentication

Amazon may be the exception that proves the rule here, since the master e-tailer’s product comprehensiveness gives them few direct, one-to-one competitors. In short, Amazon is an anomaly, and what it can get away with may not translate into a general e-commerce “best practice.”

The reason I push back against adding more requirements to shop at your store is that, even from a security authentication perspective, it’s simply not necessary. Your visitors already provide petabytes of data about themselves, leaving their digital fingerprints from IP addresses, their machines’ specifics, the way they click, what they look at, etc. Good security products today can easily make an extremely good determination that this person merits additional questions.

The best tactic is to only ask users for extra authentication when they seem to be truly risky. Used properly, that approach means that the overwhelming majority of your customers (98%+) can safely be left alone once they’ve been determined to be low-risk.

With security, perception also matters

However, a concern for your business’ security isn’t the only reason you may consider introducing two-factor authentication. Sometimes, it’s all about customer perception – and extra authentication could make a shopper feel more secure. 

Just think about passwords. Truth be told, the password itself isn’t always necessary. But if the customer is willing to do a password, it could make them feel protected.

At the same time, many consumers are concerned about privacy, and they don’t want the brands they patronize to overstep. Customers don’t want to be reminded about everything you know of them. Think about in-store sales and envision your favorite experienced and talented sales associate. They’ll smile when they see you and often greet you by name. They’ll show what they think you’d like based on prior purchases, but they will never be in-your-face obvious about it.

They won’t say, “I remember that you spent $1,100 on a blue skirt a month ago and $1,600 on blue shoes a month before that. This shipment has that overpriced French stuff that you splurge on. You may very well buy it, but I doubt anyone else will.” Discretion is a wonderful thing.

Finding the right balance

For e-commerce, shoppers are willing to put up with a little bit of friction, but not more than that. So how much is “not more”? If I may brutalize a cliché, think of it as keeping up with the Joneses.com. If almost all of your rivals are demanding passwords, you’re safe to do the same. Indeed, failing to be as demanding as your rivals could fuel the perception (there’s that word again!) that you don’t care about security.

Offering optional two-factor authentication for users who care about security and want to proactively protect their accounts is one thing – but it shouldn’t need to be encouraged. As a merchant, you should focus on introducing extra hurdles only when it’s absolutely necessary. Behind-the-scenes security is the best approach.