The concept of happy and unhappy paths is familiar to user experience (UX) professionals.
Happy paths are those steps that a digital user takes along the default or expected use of an application, without triggering error routines. They result in the expected or desired ends for the user. Unhappy paths – also called sad, bad, and exception paths – are those that aren’t happy ones. They often result in error messages or exception routines.
UX professionals must define and test for both happy and unhappy paths. Where possible, they should seek to eliminate unhappy paths, or reduce their impact on the user and get users back to the happy path as quickly and easily as possible. Doing this well makes a big difference in user’s identity experience. For your digital customer channels, success here results in increased brand loyalty, customer engagement, and revenue.
User authentication is often an “unhappy path”
UX professionals should be aware of the security fatigue that plagues many users. But they should also be aware of the impact of security on happy and unhappy paths. Identity-related tasks such as logins and privilege escalation are common causes of unhappy paths. For one thing, failed logins and forgotten passwords are common. The average American performs five password resets every month. According to Stephanie Lucas from LinkedIn, there are three common causes of unhappy paths. Through this lens, it’s easy to see why identity and authentication-related problems are such common causes of unhappy paths.
Unexpected obstacles for the user
The first cause of unhappy paths is when the user experiences some hurdle – either temporary or permanent – that prevents them from successfully using a feature. These issues often arise from incorrect assumptions about the users of a feature. For example, does an authentication system present extra challenges for those with disabilities such as dyslexia, dementia, blindness, or movement-related disorders?
Passwords, in particular, are problematic for users. They require the ability to accurately enter a series of letters, numbers, and symbols into a webpage. For the password to be secure, these characters should be random, making it difficult to remember them and to identify typos and other errors. Strong, unique passwords are difficult to use by design. They can be impossible to use for many people. When your customers fail to login with their password, what is their unhappy path? For many, that path is abandoning your app or site.
External threat to the relationship
The second cause of unhappy paths is when a third party poses a threat to a relationship. This includes relationships between users or between a business and a customer.
The potential for account takeover (ATO) attacks results in businesses deploying security features that increase the potential of unhappy paths. For example, authentication systems may require additional layers of security such as SMS one-time passwords (OTPs), out-of-wallet questions, and CAPTCHA tests. These represent designed unhappy paths.
Each of these leads to its own exceptions and required handling routes and increases the burden on the user. This friction in the user experience can also negatively impact the user’s relationship with the business and willingness to use its services.
External threat to one party
The third common cause of unhappy paths is when a third party poses a threat to one party, either the business or the customer. For user authentication systems, this usually involves the risk that a successful ATO attack will result in the customer’s data being exposed to an attacker.
Do your security measures leave your customers unprotected? Phishing and man-in-the-middle attacks are rendering password-based schemes insufficient, including those with added layers of protection like one-time passwords. When your customer accounts are breached, they are on perhaps the most unhappy path of them all: account recovery.
Making authentication a “happy path”
To avoid these unhappy paths, you must first recognize how often passwords are at the root of the problem. As described above, passwords often end up forcing a user down a sad path of failed logins, password resets, one-time passwords never received (by email or SMS), or, in the worst case, an account taken over by a bad actor. Passwords cannot be part of the solution because they are the source of the problem. The solution is to eliminate the password.
Passwordless authentication refers to a class of authentication solutions that do not require a reusable password. Consumers are increasingly aware of and prefer these options. Indeed, in its annual list of 10 breakthrough technologies, MIT Technology Review put the end of passwords first on their list, stating, “For decades, we’ve needed passwords to do things online. New forms of authentication will finally let us get rid of them for good. Instead, we’ll use a link sent via email, a push notification, or a biometric scan. Not only are these methods easier — you don’t have to remember your face — but they tend to be more secure.”
When done right, a passwordless identity service significantly reduces or entirely avoids the scenarios described above. In particular, a passwordless approach based on the FIDO (Fast Identity Online) standard works for more users with disabilities, it renders additional layers of protection obsolete, and it protects against many threats targeted directly at your customers. It’s both more secure and easier to use.
How? FIDO-based passwordless authentication directly addresses all three common causes of unhappy paths:
- Unexpected obstacles: Users experience unexpected obstacles when they forget a password or fail to enter it correctly. With FIDO-based passwordless authentication, users prove their identity using biometrics or other methods that don’t use knowledge-based factors. They use the mobile devices they carry, and their biometrics never leave their device.
- Threats to relationships: Threats to relationships arise when authentication issues cause additional friction for the user. FIDO-based authentication uses stronger authentication methods and public-key cryptography to eliminate the need for additional security features.
- Threats to one party: Customers are harmed if a security failure – such as a data breach or successful ATO attack – leads to their data being compromised. FIDO-based passwordless authentication uses stronger authentication factors to protect against ATO attacks and does not require the business to store any sensitive information. FIDO authentication is phishing proof, immune to bots and other brute force attacks, and provides assurance to both the customer and your site that each party is who they purport to be.
FIDO authentication is backed by dozens of leading brands across technology, banking, cybersecurity, and more, as well as governments. Transmit Security sits on the FIDO Alliance board, along with companies such as Apple, Microsoft, and Google, who incorporate FIDO into their devices, operating systems, and browsers. FIDO is quickly becoming ubiquitous and supports use cases across both workforce and customer authentication use cases.
To learn more about passwordless authentication, read our complete guide here.