Authentication Archives - Qvik https://qvik.com/tag/authentication/ Creating Impact with Design and Technology Wed, 28 Aug 2024 11:11:56 +0000 en-US hourly 1 https://wordpress.org/?v=6.6.2 https://qvik.com/wp-content/uploads/2022/05/cropped-Qvik_Favicon_512x512-32x32.png Authentication Archives - Qvik https://qvik.com/tag/authentication/ 32 32 New Consumer Protection Act clarifies personal data storage rules and changes payment method listing https://qvik.com/news/new-consumer-protection-act-clarifies-personal-data-storage-rules-and-changes-payment-method-listing/ Thu, 15 Jun 2023 08:31:00 +0000 https://qvik.com/?post_type=qvik_story&p=4622 The amendments to the Consumer Protection Act entering into force in October 2023 will have an impact on e-commerce. The Consumer Protection Act safeguards the rights of consumers and makes sure that companies do business in a fair and transparent manner.

The post New Consumer Protection Act clarifies personal data storage rules and changes payment method listing appeared first on Qvik.

]]>
Amendments concerning remote sales, that is e-commerce, are coming to the Consumer Protection Act. After the amendment enters into force, when a consumer buys products online, the trader will have to present the available payment methods in a specific order in connection with concluding the contract.

This mandatory order is as follows:

  1. Payment methods not including the possibility to apply for or use credit or get other respites for payment, such as online bank payments.
  2. Payment methods that may include the possibility to apply for or use credit or get other respites for payment, such as PayPal.
  3. Payment methods that mean applying for or using credit or other respite for payment, for example, credit card payments or instalments.

Furthermore, traders will not be permitted to set any payment method as the default choice. The Act also applies to payment service providers, credit issuers and other traders.

The Act’s provisions on authentication and saving data will be clarified

The amended Consumer Protection Act will provide for the verification of a consumer’s identity and the storage of their personal data. This will come into effect in situations such as when a consumer buys products online and chooses a payment method in which payment is not made immediately in connection with the order, but later. In such cases, the trader has to verify the consumer’s identity with an authentication method meeting the requirements of the Act on Strong Electronic Identification and Electronic Trust Services or the Payment Services Act.

Furthermore, the data used to verify the consumer’s identity must be stored for five years. These data storage requirements do not apply in all cases, however. Some exceptions include the following situations:

  • the Payment Services Act applies to the payment method;
  • the contract specifies that the consumer pays the purchase price when receiving the goods;
  • the service will be provided by other means than distance communication, and the service provider offers the respite for payment on its own initiative; or
  • the transaction concerns the purchase of goods by telephone sales.

The purpose of the amendments to the Consumer Protection Act is to improve the rights of consumers and better secure their identity in remote sales. Every consumer should take a closer look at the new provisions to know their rights before making a purchase.

The Consumer Protection Act protects against unfair or deceitful commercial practices

The purpose of the Consumer Protection Act is to protect consumers and ensure that they enjoy certain basic rights when buying goods and services. Among other things, the Consumer Protection Act affords consumers the right to obtain accurate and sufficient information on products and services, the right to cancel an agreement within a certain period of time, and the right to complain if a product or service is defective or does not live up to expectations.

The Act is also intended to promote fair competition and prevent abuses by companies at the expense of consumers.

The Consumer Protection Act obliges companies to follow certain rules. According to the Act, a trader must inform consumers of the terms of a contract, comply with certain standards regarding the quality of products and services, and refrain from misleading or aggressive trading practices. The Act also specifies a maximum for credit costs.

The Consumer Protection Act was last amended in early 2023, expanding the scope of the Act to door-to-door selling. Door-to-door selling refers to concluding the sales contract somewhere else than on the trader’s premises.

Illustration: Aija Malmioja

The post New Consumer Protection Act clarifies personal data storage rules and changes payment method listing appeared first on Qvik.

]]>
Safe Pay certification granted for Paytrail, Walley and Maksuluotto – now also featuring a UX review https://qvik.com/news/safe-pay-certification-granted-for-paytrail-walley-and-maksuluotto-now-also-featuring-a-ux-review/ Wed, 22 Mar 2023 14:01:14 +0000 https://qvik.com/?post_type=qvik_story&p=4266 We have granted the Safe Pay certification to three payment service providers this year. Paytrail, Maksuluotto and Walley are now certified as safe, secure and user-friendly payment service providers.

The post Safe Pay certification granted for Paytrail, Walley and Maksuluotto – now also featuring a UX review appeared first on Qvik.

]]>
Online shopping is booming in the Nordics, and more and more people are spending more and more time finding the product with the best price. However, it is still difficult for the customers to know whether any given payment method or payment service provider is secure. Often, customers simply have to take it on faith that the payment service providers used by the online store are reliable. 

“Consumers should always be vigilant and proactive in protecting their personal and financial information when making online payments. This is not always easy, but awareness is fortunately increasing”, says Qvik’s payment specialist Mikko Vahter.

Safe Pay certification is one way to communicate security to your customers. Its primary focus is on the security of processing the consumer’s data, and the certificate tells customers that it’s safe to pay for their purchase online. This year the certification is granted for Paytrail, Maksuluotto and Walley.

This year we also focused on the user experience of the payment flow

Payment flows are not exactly known for their great user experience. Firstly, the legislation and regulations limit what can be done with payments. On top of that, even if the payment flow is good, the ever-changing field of online payments can be confusing in itself.

The payment market currently suffers from an excess of service providers with different consumer-facing payment brands. Users can feel confused by the sheer number of names and logos alone, making it hard to grasp who is actually in charge of the payment flow.

This year’s Safe Pay audit included a user experience review. We validated whether the user flow supported the chosen payment method’s feeling of security and safety. 

“Secure payment methods do not rule out good user experience”, Vahter says.

“According to Qvik’s observations, most issues are related to accessibility, but luckily these are usually quite easy to fix.”

The accessibility of online payments is crucial for ensuring that everyone can make secure and convenient online payments regardless of ability. Ultimately, this may also lead to increased adoption and use of online payment systems, which can ultimately benefit both businesses and users.

What is Safe Pay?

When you see a Safe Pay certificate and/or the operator is listed on this site, you can be sure that your data will be processed securely and the payment service provider has taken the required measures to prevent fraud.

The Safe Pay certificate primarily focuses on the security of processes, systems and data processing. Certification answers the following questions:

  • What information is needed to make a purchase?
  • Has the customer undergone strong authentication?
  • How can customers change their authentication credentials?
  • What is the level of the vendor’s internal data security competence?
  • How is customer data processed?

For more information and consultation, don’t hesitate to contact Mikko Vahter.

The post Safe Pay certification granted for Paytrail, Walley and Maksuluotto – now also featuring a UX review appeared first on Qvik.

]]>
Safe Pay certification has covered most of the Finnish online payments scene in one year https://qvik.com/news/safe-pay-certification-has-covered-most-of-the-finnish-online-payments-scene-in-one-year/ https://qvik.com/news/safe-pay-certification-has-covered-most-of-the-finnish-online-payments-scene-in-one-year/#respond Mon, 07 Feb 2022 06:41:29 +0000 https://qvik.com/stories/safe-pay-certification-has-covered-most-of-the-finnish-online-payments-scene-in-one-year/ It’s time to celebrate the Safe Pay certification’s first birthday. What has happened in a year and what are our plans for the future?

The post Safe Pay certification has covered most of the Finnish online payments scene in one year appeared first on Qvik.

]]>
It’s time to celebrate the Safe Pay certification’s first birthday. What has happened in a year and what are our plans for the future?

In late 2020 and early 2021, we were troubled by the fact that making purchases on the internet with a false identity was – and still is – easy.

The payment terms and delivery methods of online invoices are regulated in Finland, but the law is silent on authentication – leaving online invoice payments in a sort of legal limbo. This is also the case in other countries.

We figured we could do something about this with our years of experience in payment services consulting, design, and implementation.

In a few months, we had created a certification process that focuses on the security of processing the consumer’s data and ensures that the merchant has done everything necessary to prevent fraud.

“The Safe Pay label tells consumers at a glance whether your personal data will be processed or stored securely and if it’s safe to shop at an online store,” says our senior payments consultant Mikko Vahter who carries out the certification processes with our senior payments consultant Antti Välijärvi.

Over 25,000 merchants in the Nordics are now certified

According to a Paytrail report from 2020, invoice payments are the third most popular payment method in Finland with about 24% of Finns using them. Svea’s survey from 2021 also ranks invoices as the third most popular payment method, stating that 40% of Finns have paid for an online purchase with an invoice.

While we wait for legislation to catch up with invoice payments, the need for certification like Safe Pay remains.

“So far, we’ve found something to fix or improve in every payment service provider we’ve certified”, Vahter says. “We’ve seen that manual processes and legacy systems are often the weakest links.”

It’s often easier and faster to fix the systems than the internal processes. Whatever the individual case, the companies that have gone through the certification process have received positive feedback.

“The most common reason for companies to go through the process is to make sure their product is safe and communicate its safety clearly to consumers. It’s no wonder then that everyone has been really cooperative about making improvements.”

Next steps: expanding the scope to brick-and-mortar stores and other countries

“Safe Pay certification now covers most of the Finnish online payments scene, which is something I’m really proud of”, Vahter says. “But not all shopping happens online.”

Consumers interact with businesses through multiple channels, and face-to-face purchases are as vulnerable as online shopping. In 2022, Safe Pay certification will widen its scope to brick-and-mortar, so that we can certify our customers’ invoice payment processes over all channels.

“In click & collect, for example, you order the item online and collect it from a store”, Vahter says. “We will test this by ordering something and going to the actual stores as part of the certification process.”

Earlier this year, Walley was the first payment provider to get Safe Pay certified in Sweden. Since the problems are similar in many countries, Vahter and Välijärvi are also looking into the possibility of expanding the certification process to other countries as well.

The post Safe Pay certification has covered most of the Finnish online payments scene in one year appeared first on Qvik.

]]>
https://qvik.com/news/safe-pay-certification-has-covered-most-of-the-finnish-online-payments-scene-in-one-year/feed/ 0
Introducing Safe Pay: The World’s First Consumer Invoice Payment Security Certificate https://qvik.com/news/introducing-safe-pay-the-worlds-first-consumer-invoice-payment-security-certificate/ https://qvik.com/news/introducing-safe-pay-the-worlds-first-consumer-invoice-payment-security-certificate/#respond Tue, 09 Feb 2021 06:33:11 +0000 https://qvik.com/stories/introducing-safe-pay-the-worlds-first-consumer-invoice-payment-security-certificate/ Making purchases on the internet with a false identity is currently easy, since online invoice payments are not regulated by law. Qvik seeks to address this with the launch of a new certificate that improves the security of online purchases. Safe Pay is the first security certificate for consumer invoice payments in the world.

The post Introducing Safe Pay: The World’s First Consumer Invoice Payment Security Certificate appeared first on Qvik.

]]>
Making purchases on the internet with a false identity is currently easy, since online invoice payments are not regulated by law. Qvik seeks to address this with the launch of a new certificate that improves the security of online purchases. Safe Pay is the first security certificate for consumer invoice payments in the world.

The personal data breach committed against the Vastaamo psychotherapy center has highlighted the ambiguity of current legislation and requirements on online payments. What’s more, not all payments made on the internet, including payments by invoice, are even covered by the legislation.

Tech company Qvik has developed a solution for the security issue: Safe Pay, the world’s first security certificate for B2C invoice payments.

Invoices are a popular payment method in Finland: According to payment service provider Paytrail, no less than 36 percent of Finnish consumers preferred to pay for their online shopping by invoice in 2019.

In invoice payments, the law of the jungle rules

According to data security expert Petteri Järvinen, online invoice payments have been governed by the law of the jungle until now.

“We’ve ended up where we are now because, by law, the vendor is not required to verify the identity of a customer making a purchase by invoice. Online traders seek to minimize verifications to make buying as easy as possible for the customer.”

According to Järvinen, there is no legislation on invoice payments because the risks only applied to the merchant before e-commerce became commonplace.

“The premise for the law was that identifying the customer was up to the merchant. With the triumph of e-commerce, however, the world has changed, abuses are common, and the situation has gotten out of hand”, says Järvinen.

“You can’t see the buyer on the internet, and verifying the identity of consumers paying by invoice is a challenge. Even the EU’s PSD2 payment service directive does not apply to invoice payments.”

Certification looks at security from multiple angles

The Safe Pay certificate focuses on the security of processing the consumer’s data. Qvik performs the certification and grants the certificate to the invoicing service after examining the applying company’s data processing practices and the security of its systems and processes.

“We developed the Safe Pay certificate to improve consumers’ awareness of the security of payment by invoice, and to showcase reliable invoice payment service providers. Consumers can identify Safe Pay certified companies from the logo that companies can display in their online stores. Certified companies are also listed on the Safe Pay by Qvik site”, says our Consulting Director, Sami Vellonen.

The certification process ensures that the certified company has addressed the following questions to our satisfaction:

  • What information is needed to make a purchase?
  • Has the customer undergone strong authentication?
  • How can customers change their authentication credentials?
  • What is the level of the vendor’s internal data security competence?
  • How is customer data processed?

First certificate issued to Collector Bank

The Safe Pay by Qvik certificate is valid for one year. It must be renewed if significant changes are made to the system or processes. Collector Bank was the first company to obtain the certificate on January 18.

“We are very positive about the initiative for a certification. It is a good way to inform consumers about which payment services follow best practices in these matters. We are proud that Collector is the first player to be certified by Qvik”, says Philip Winberg, Product Manager for Collector Checkout.

Qvik is qualified to issue the certificates due to the tech company’s years of experience in payment service consulting, design and implementation.

“Certificates come in many shapes and sizes. For example, the contents of the well-known ISO certificates are specified by an international organization, but the certification process is always performed by a private company. This kind of certificate for ensuring the security of invoice payments is a fantastic development for consumers. It’s great that Finland is the first country in the world to introduce something like this”, Järvinen concludes.

Illustration: Jukka Forsten

The post Introducing Safe Pay: The World’s First Consumer Invoice Payment Security Certificate appeared first on Qvik.

]]>
https://qvik.com/news/introducing-safe-pay-the-worlds-first-consumer-invoice-payment-security-certificate/feed/ 0
Invoice payments are the Wild West of online commerce. Here’s a checklist for responsible merchants. https://qvik.com/news/invoice-payments-are-the-wild-west-of-online-commerce-heres-a-checklist-for-responsible-merchants/ https://qvik.com/news/invoice-payments-are-the-wild-west-of-online-commerce-heres-a-checklist-for-responsible-merchants/#respond Tue, 10 Nov 2020 09:52:54 +0000 https://qvik.com/stories/invoice-payments-are-the-wild-west-of-online-commerce-heres-a-checklist-for-responsible-merchants/ There’s no danger in paying for your own online shopping by invoice, but some online stores make it easy for others to do it with your identity as well.

The post Invoice payments are the Wild West of online commerce. Here’s a checklist for responsible merchants. appeared first on Qvik.

]]>
There’s no danger in paying for your own online shopping by invoice, but some online stores make it easy for others to do it with your identity as well. The reasons include legal loopholes, ignorance and the vendor’s wish to offer a convenient purchase experience.

In Finland, invoices are not an official payment method in the vein of credit cards or online bank transfers, so they exist in a type of legal limbo. The payment terms and delivery methods of invoices are regulated, but the law is silent on authentication.

This is a problem because we have no single convenient strong authentication method available in Finland. If strong authentication is not specifically required by law, it can be tempting to go light on the verifications and make shopping as easy as possible for the customer.

There are two principal mistakes payment service providers can make in customer authentication:

  • Weak information security.
  • Making it unnecessarily difficult to actually buy something.

You could avoid both, though: there are many ways to combine safe authentication with ease of use.

Qvik recently held a webinar in Finnish that could be roughly translated as Risks and opportunities of invoicing: Concerns raised by serious data breach. In the webinar, payment service providers gave some pointers on customer authentication and data processing. The panel included Juuso Paulasuo from Collector, Benny Öhman from Svea, Katja Kopra-Kullas from OP Lasku, Juho Putkonen from Fellow Finance, Henri Komu from Arvato, along with independent data security expert Petteri Järvinen.

Making a deal with a stolen identity is easy

The number of data breaches reported to the police has nearly doubled over the past few years. Hundreds of identity thefts are reported every month. The Vastaamo data breach is not showing in the figures yet, but it could cause a delayed spike in cases.
Misuse of personal data in online stores is also on the rise. Our panelist Juho Putkonen recently demonstrated just how easy it can be by ordering products online with his friends’ details. He did have permission, though.

“I made two purchases with false identities and didn’t even need to use personal identity codes. You could buy the stuff with information publicly available on the internet”, Putkonen says. “It was damn easy.”

One of the purchases was a box of Fazer chocolates, which Putkonen shared with the other speakers.

But real-life fraud can be a nightmare for the victim. The situation is especially difficult if the victim only learns of the misuse after the invoice has already been sent to the debt collectors.

Who’s responsible if the law is silent?

Depending on the contract, either the merchant or payment service provider will bear the losses for a purchase made with a false identity. Some merchants choose weak or barely adequate authentication methods that make buying easy but increase the risk of fraud. In such cases, the parties usually agree that the merchant will shoulder the financial risks.

“As long as skipping strong authentication is not illegal, some merchants will continue to do so”, Öhman says.

“On the other hand, there are many well-informed vendors out there who are also thinking about the damage poor data security can do to their reputations”, Komu points out.

The panel discussed whether strong authentication could be a confidence-building experience for consumers too. They believe that the Vastaamo data breach will have an impact on public awareness of the safety of online shopping.

“Could e-commerce operators create a certificate that would increase consumer confidence by showing that purchasing is subject to certain security standards and requires strong authentication?”, Järvinen suggested.

It remains to be seen whether the market will improve the data security of invoice payments on its own, or whether legislation will be required to address the issue.

Checklist for responsible e-traders

Even many big players are slacking on customer authentication at the moment. If you want to make data breaches, fraud or identity theft harder to commit in your online store, answer at least these questions about your operations:

1. What information is needed to make a purchase in your online store?

The store’s data security is weak if purchases can be made with information that is easily available or easy to guess. These include the customer’s name, address, postal code, email address, telephone number and date of birth.

2. Has the customer passed strong authentication at any point?

Simply requiring strong customer authentication in connection with the first purchase improves data security considerably.

3. How can customers change their authentication credentials?

It’s important to identify the customer when they change essential information. Customers who try to change information like their telephone number or contact details should undergo strong customer authentication.

4. How is your in-house data security competence?

Data breaches often involve negligence, indifference or human error. Train your people to the required level and keep your online store’s certificates up to date.

Customer service also plays an essential role in data security. Provide your staff with clear up-to-date guidelines on critical issues, such as what customers are allowed to do through customer service, what information they can change, and which details can be given over the telephone.

5. How are you processing data? Hint: GDPR.

The General Data Protection Regulation provides a clear description of data processing requirements. Check the requirements for storing and processing data. Among other things, the GDPR requires companies to appoint a Data Protection Officer or DPO.

Following the GDPR’s guidelines ensures that your processes are in order and best practices are used to protect data.

The post Invoice payments are the Wild West of online commerce. Here’s a checklist for responsible merchants. appeared first on Qvik.

]]>
https://qvik.com/news/invoice-payments-are-the-wild-west-of-online-commerce-heres-a-checklist-for-responsible-merchants/feed/ 0
Easy authentication is more important than ever. Get it right with these tips. https://qvik.com/news/easy-authentication-is-more-important-than-ever-get-it-right-with-these-tips/ https://qvik.com/news/easy-authentication-is-more-important-than-ever-get-it-right-with-these-tips/#respond Tue, 20 Oct 2020 04:12:14 +0000 https://qvik.com/stories/easy-authentication-is-more-important-than-ever-get-it-right-with-these-tips/ You should arrange your service's registration and login so that it will not hurt conversion or piss your users off. Pretty obvious, isn’t it, but we’re still saddled with user interface issues.

The post Easy authentication is more important than ever. Get it right with these tips. appeared first on Qvik.

]]>
You should arrange your service’s registration and login so that it will not hurt conversion or piss your users off. Pretty obvious, isn’t it, but we’re still saddled with user interface issues.

We all have our passions. Over the years, I’ve had the privilege of contributing to several projects that have taken the convenience of authentication seriously. As a result, I have started making noise on the subject whenever I can.

I have had the pleasure of collaborating on several projects that have taken easy authentication seriously.

This autumn, I have said my piece on Qvik’s blog. This authentication blog series is based on my presentation at Alma Talent’s Tivi tunnistautuminen 2020 authentication event.

I can’t stress this stuff enough, so here’s a recap of what we’ve been writing about this Autumn.

If your service requires logging in, these should be helpful for you.

1. Authentication plays a role in three business-critical phases. That’s why it matters.

Any service will benefit from well planned and executed onboarding, returning user experience and effortless payments. Authentication is something that each and every user will have to go through. But it still doesn’t receive anywhere near the amount of attention it should.

2. The easiest login is no login at all. Use cookies, but don’t be creepy.

Cookies can be handy, as long as they’re not creepy. You would be surprised how accurately various cookies can identify users, letting you personalize their views without requiring a login. But beware: Users can creep out when a service identifies them before they have logged in.

3. Everyone hates passwords. Here’s how to get rid of them.

There are many ways of user authentication that are simply better than passwords. Some of them work by themselves, others as part of a larger solution. Many of these alternatives are more labor-intensive to implement than passwords, yet more convenient for the user.

4. How to make strong customer authentication as tolerable as possible.

Strong authentication used to be bad on desktop browsers, and then it got even worse on mobile. The situation has now improved a little, but it’s still nowhere near as easy as it should be.

As you can see, even if your service is not yet top notch, there’s much you can do about that. And as you might have guessed, I’m more than willing to talk about this more.  So if you need help, you know who to contact!

Illustration: Aija Malmioja

The post Easy authentication is more important than ever. Get it right with these tips. appeared first on Qvik.

]]>
https://qvik.com/news/easy-authentication-is-more-important-than-ever-get-it-right-with-these-tips/feed/ 0
How to make strong customer authentication as tolerable as possible https://qvik.com/news/how-to-make-strong-customer-authentication-as-tolerable-as-possible/ Mon, 28 Sep 2020 04:25:57 +0000 https://qvik.com/stories/how-to-make-strong-customer-authentication-as-tolerable-as-possible/ Strong authentication used to be bad on desktop browsers, and then it got even worse on mobile. The situation has now improved a little, but it’s still nowhere near as easy as it should be.

The post How to make strong customer authentication as tolerable as possible appeared first on Qvik.

]]>
I hate strong authentication. It used to be bad on desktop browsers, and then it got even worse on mobile. The situation has now improved a little, but it’s still nowhere near as easy as it should be.

As you might have noticed, authentication weighs heavy on my heart. Previously in the series, I’ve written about how authentication plays a role in three business-critical phases but is often neglected, how the best login is no login at all, and how to avoid using passwords. Now it’s high time to talk about strong customer authentication.

SCA is the acronym used in the payments context, if you want to research the topic. When it comes to authentication in other contexts, we are talking about eIDAS and the level substantial.

These are some the things that are going on right now:
  • eIDAS + trust network (Luottamusverkosto):
    Authentication prices have gone down, integration has become easier for service providers.
  • New digital authentication applications offered by banks:
    Authentication is more convenient than with the old paper code lists.
  • The second coming of the mobile certificate:
    Application-based mobile certificates will be easier to adopt.
  • PSD2 increases the need for streamlined strong authentication

On one hand, we’ve gotten used to the clumsy 3DS implementation over the years. On the other, if you do this well and provide your customers with a streamlined payment experience, this will give you the chance to stand out.

There is a good pattern and a bad pattern, the choice is yours

What can service providers do to make their customers’ lives easier? Not much, but still something:

  • Minimize the need for strong authentication
  • Ask for as much information as you can in one sitting

Terveystalo’s application is an example of a smart implementation. You go through strong authentication when you first use the app. After that, you can access your personal health data on the same device with fingerprint authentication.

Terveystalo only does strong authentication once.

You often come across different implementations as well. For example, Lähitapiola’s Elämänturva insurance app is pretty as a picture. But the moment you try to do anything, it throws you out of the app to go authenticate yourself again in the browser.

If you look at the app store ratings, you can see that I’m not the only one who doesn’t enjoy that. Nobody does things like that just out of spite though – there must be some kind of technical reasons for it, but the experience is bad.

Elämänturva cuts your path short.

You can also do a lot to spare users the trouble of authentication in connection with payment. This would really be an article unto its own, but you can get started by checking out Stripe. Or Adyen.

You can make the payment experience smoother by taking advantage of the exceptions in the PSD2 Directive. Image: Adyen.

Gleaning information in the background

Let me give an example of gleaning more information from users during strong authentication with the following fictive online store. The user wants to pay in installments and performs strong authentication. At the same time, the store runs a credit rating check and finds out the user’s address in the background. After this, the order is only one click away.

A sample online store implemented by Qvik and Signicat. It retrieves the user’s address information in connection with the authentication required for making a loan decision.

Various authentication service providers will probably start offering ever more diverse add-on services to service providers: the business value of authentication alone will fade with tightening regulation and competition. You could imagine this will be an improvement for the user too, since more offering tends to mean a better user experience.

What would convenient strong authentication look like?

The implementations of banks vary. The following image presents the different stages of the process and the requirements for success in each one.

Every step on the authentication path can be made easier or harder.

First, the user needs to tell the online service who they are, one way or another. You could do this like the banking apps, with a secret user ID that you have to memorize. In the trickiest implementation, you will also need a separate password. The mobile certificate uses your phone number, which is easy to remember, but also known to others, who can then send you authentication requests for phishing purposes. That is why there is an optional security code but it is a difficult concept for the very people who would benefit from it.

The next phase will be switching over to the authentication app. If you are operating solely on mobile, it would be best to redirect the user automatically to the right application. And if the user will authenticate themselves on a computer, it would be nice to send an authentication request notification to their phone, so that they will not have to dig up and open the authentication app themselves.

All this is followed by the actual authentication phase. Many questions arise.

  • Can you use biometric authentication, or will you need to enter a PIN?
  • How many more needless screens will you need to sit through?
  • Can the service link you back to the original application, or will you have to do the app switch manually?

Case Nordea – bank authentication done well

Nordea offers a pretty streamlined solution to strong authentication. There’s really only one superfluous step that makes you wonder before you hop into the authentication app. And you can’t get your browser to remember your user ID even if you’d like to. This is when the automatic app-switch to the authentication app works. In some situations you still need to do it manually.

Nordea also lets you use biometric authentication inside the app – if you manage to find where to enable it. The positive application store feedback is a good indicator that the process is rather painless. If you take a look at other banks’ code apps and count the steps in the authentication process, you can see that the more steps included, the worse the application ratings tend to be.

Nordea has also been rolling out the new mobile-optimised payment flow since summer 2020. I have not encountered the old desktop site anywhere in a while now. One place where you can easily try it out is the Finnish Red Cross. If you ever wanted a good reason to donate money, here you have it!

The new payment flow is nicely mobile-optimised but for some reason it still asks you to authenticate twice. First you authenticate to get into your account and then again to confirm the payment, with several manual app-switches required. What is more, you can’t use biometrics when confirming the payment but need to key in your PIN code instead. I still find it confusing and complicated.

The mobile certificate is getting more popular

Traditional mobile certificates are doing quite well in the race against the banks.
The authentication method provided by telcos is based on an application hiding on your SIM card, and every phone manufacturer shows the required dialogs in its own way. The upside of this is that the technology lets the transactions open right in context, so you won’t need to switch between apps.

But the fourth step in the implementation, asking you which information to pass on to the service providers, sticks out like a sore thumb. If Nordea doesn’t need that either, I don’t think it merits an entire step in the process.

The first-generation mobile certificate does quite well in comparison to the solutions offered by banks.

According to Ficom’s statistics, the mobile certificate doubled its user base during 2019, with over 7 million authentications done with the certificate. Precise user counts have not been published, but I have heard estimates that there are hundreds of thousands of users – possibly even half a million.

Mobile certificate usage doubled last year.

In many services, the mobile certificate is the third-most popular authentication method after the largest banks. The principal reason for this is thought to be the method’s broad support. The authentication method is accepted by practically everyone except the banks.

That’s actually pretty much what the forecasts for the mobile certificate’ success are based on. The pricing model for the upcoming second generation has not been disclosed by telcos. If you will still have to pay for strong authentication like in the current version, without even getting rid of your bank’s authentication solution, how many consumers will want to pay just for logging into other services more conveniently? Hard to tell at this point.

Telcos have publicly stated that the app-based 2nd generation of mobile certificate would be launched in 2020 but since there has not been any news recently, I would not be surprised if it was postponed to 2021.

Go, West!

This is a good time to cast our eye to the west and ask the age-old question: ”What about Sweden?” Well, Sweden uses the banks’ shared mobile wallet Swish and joint authentication solution BankID.

This is how convenient it is to make a payment and authenticate yourself with this combination: You just show your face to Face ID in between and linking between apps is handled automatically.

That’s how they do it next door.

In Norway, Vipss does pretty much the same thing. You can use it for authentication as well as payment. It also transmits your name, email, phone number and delivery address to the merchant, avoiding the need to register with every single one.

Illustration: Aija Malmioja

The post How to make strong customer authentication as tolerable as possible appeared first on Qvik.

]]>
Everyone hates passwords. Here’s how to get rid of them. https://qvik.com/news/everyone-hates-passwords-heres-how-to-get-rid-of-them/ https://qvik.com/news/everyone-hates-passwords-heres-how-to-get-rid-of-them/#respond Thu, 10 Sep 2020 03:20:42 +0000 https://qvik.com/stories/everyone-hates-passwords-heres-how-to-get-rid-of-them/ There are many ways of user authentication that are simply better than passwords. Some of them work by themselves, others as part of a larger solution. Many of these alternatives are more labor-intensive to implement than passwords, yet more convenient for the user.

The post Everyone hates passwords. Here’s how to get rid of them. appeared first on Qvik.

]]>
There are many ways of user authentication that are simply better than passwords. Some of them work by themselves, others as part of a larger solution. Many of these alternatives are more labor-intensive to implement than passwords, yet more convenient for the user.

In our previous authentication articles, we wrote how authentication plays a role in three business-critical phases but is often neglected, and how the best login is no login at all – you can use cookies without being creepy. Now we dive deeper into the complex world of passwords.

A smooth login is one of the cornerstones of a successful digital service, but many services still trip themselves up before the race has even started. Using passwords is one way to ruin the login experience for the customer.

This article focuses on the alternatives you have.

3 alternatives for P4ssWord5

The alternatives to passwords are many. In this article, I will walk you through the pros and cons of the most common ones. Many of these alternatives don’t enable strong authentication, but we will talk about that in more detail in our next authentication article.

1. One-time password via SMS

Texting a one-time password, or OTP, to the user is a common solution. It’s not very secure, to be honest, but good enough for most innocuous services. A good implementation minimizes two things:

  • the trouble of entering the user’s phone number
  • the trouble of entering the code from the text message

On Android, it looks like this: you can choose your phone number from a menu listing the numbers found by the application. Unfortunately, it’s not a hundred percent reliable, and you still have to enter your number manually every now and then.

A properly configured server can read the code from the text message and transfer it directly to the application, saving the user the trouble of memorizing the code or flicking back and forth in the message app.

This is the most convenient login experience you can achieve with one-time passwords on Android. It may look complicated, but all you actually have to do is check that your phone number is correct and wait a few moments.

If you can’t configure the server end to read the code automatically for some reason, you can still make the user’s life easier by formatting the text message right. If the message is correctly formatted and the user is using Google Messages as their  SMS app, a Copy button for easy copying of the OTP will be added automatically to the notification.

It can still go wrong if your own app’s code field has been custom-designed in a way it doesn’t support pasting codes from the clipboard. This could be the case if the UI has only been specified as images, without proper designer-developer collaboration.

The trouble is that Messages is choosy about how you format the message, and a working syntax apparently hasn’t been documented anywhere.

With iOS, the options are a bit more limited. You can’t ask the system to give the phone number but, if you configure the text field right, the iOS 13 keyboard can offer a single-tap shortcut for phone numbers.

Easy phone number input and retrieving OTPs from messages almost automatically on iOS. Example from Lyft app.

I’m sure there are many applications that do it well on both platforms. My go-to example of a good implementation has traditionally been Lyft.

2. Case Tallink and the smart text field

Tallink used to have an awkward login process. Users had to come up with a separate username, which couldn’t be an email address. On top of that, if you forgot your password, the system always created a new one that you never learned and rarely bothered changing. As a result, “I Forgot My Password” was one of the most visited pages on the site.

When we set out to build a new solution, the product owner gave us a simple briefing:

“Whatever you do, get rid of usernames and passwords”, he said.
“I’m gonna make it happen”, said I.

The result was a smart text field in which you could write anything at all you happen to know about yourself. Telephone number, email address, loyalty card number – it’s all good. The system then does its best to identify you with that information, asks further questions if necessary and finally sends you a login link by email or SMS.

The text field changes according to what you write in it.

This solution will theoretically work with any service that doesn’t require strong authentication.

I have been given leave to present the results: After launch, traffic at “I Forgot My Password” stopped cold.

“I Forgot My Password” visits before and after launch of the new login service.

3. Third-party login services

Facebook login has been a popular alternative for passwords for a decade now. Such third-party login services are usually referred to as “social login”, even if the service is not an actual social network. Also LinkedIn and Twitter provide similar third-party login options.

These services benefit both users and service providers:

User

  • Less information to enter
  • No need to think up usernames and passwords
  • No separate password confirmation required
  • Other information is transferred at the same time (e.g. profile picture)

Service provider

  • Improved conversion
  • Less fake users
  • Richer data

The downsides are obvious. Data management is obscure, and users may end up telling more about themselves than they would like. A nagging sense of uncertainty also has a price. Login services are often integrated in a difficult way that requires the user to remember which service they originally registered with when coming back to the service later on.

Google is a natural choice for Android users

Google’s proprietary login service Google Sign-in has been available for quite some time and is a natural choice for Android users. Users are already logged into their Google accounts on their phones in any case, so there is no unnecessary hassle involved. Off the top of my head, I’d also say that Google has a slightly better reputation in the field of data protection than Facebook.

The situation has been less clear cut on the iOS side until recently.

Sign in with Apple

Apple has better cause to be jealous now: it finally launched its own login solution, Sign in with Apple, last year. There are two things you should know about it:

  • You have to support it if you want to use another third-party login service (the transition period ended on June 30).
  • It lets users use fake email addresses. The service provider can trust the address to work, but there is no way for the user to know which of their addresses was given to the service, so it can’t be used to identify the user in other channels.

Because of the latter point, if you want to support, say, Facebook login in your iOS app, you need to build Sign in with Apple support into all of your other channels as well because you can’t identify users with their email address.

Sign in with Apple gives minimal information to the service provider. It provides the name, possible made-up email address and a unique identifier. It doesn’t transmit the user’s address information like Apple Pay either.

Sign in with Apple enables fingerprint and facial identification. Source: Macstories.

That’s the upside, support for biometric authentication. For some reason, Google has not decided to introduce anything similar for the Google Sign-in service on a large scale, even though it’s pretty handy in other respects.

4. Last but not least: Finnish alternatives for passwords

Our local authentication services merit a chapter unto themselves. The next contender could emerge from telephone operators, who have announced that they are working on the next generation of mobile certificates, or Mobiilivarmenne.

While the previous version lurked inside your phone’s SIM card and thus required a special activation process, the new version will be application-based. It would be a pretty safe bet to assume that it will work like the authentication apps offered by banks.

In addition to strong authentication, available even now, the mobile certificate will also offer a new lower level of security competing directly with the authentication solutions of Facebook, Google ja Apple, as well as Finnish indie solution SisuID.

Even though the mobile certificate lacks iOS-level integration, the operators have a strong market position. It’s thus easy to see success for this alternative in the future, as long as it’s done and priced right.

Whoa, you made it this far! Hopefully this convinced you to give up passwords and choose a better solution for your service’s login. As you noticed, this article focused on services that don’t require strong authentication. In the next one, I will delve deeper into the various options for implementing it, including the use of mobile certificates.

Illustration: Aija Malmioja

The post Everyone hates passwords. Here’s how to get rid of them. appeared first on Qvik.

]]>
https://qvik.com/news/everyone-hates-passwords-heres-how-to-get-rid-of-them/feed/ 0
The easiest login is no login at all. Use cookies, but don’t be creepy. https://qvik.com/news/the-easiest-login-is-no-login-at-all-use-cookies-but-dont-be-creepy/ https://qvik.com/news/the-easiest-login-is-no-login-at-all-use-cookies-but-dont-be-creepy/#respond Tue, 01 Sep 2020 02:58:56 +0000 https://qvik.com/stories/the-easiest-login-is-no-login-at-all-use-cookies-but-dont-be-creepy/ Does your service really need logging in? You can go pretty far without it. First things first: cookies can be handy, as long as they're not creepy.

The post The easiest login is no login at all. Use cookies, but don’t be creepy. appeared first on Qvik.

]]>
Does your service really need logging in? You can go pretty far without it.

In our previous authentication article, we wrote how authentication plays a role in three business-critical phases but is often neglected. Now we finally get to dive deeper into the details.

First things first: cookies can be handy, as long as they’re not creepy.

You would be surprised how accurately various cookies can identify users, letting you personalize their views without requiring a login. But beware: Users can creep out when a service identifies them before they have logged in. If they think you don’t know who they are, you can come across as sleazy if you get too familiar with your personalization.

Technology may let you personalize your service for identified but logged-out users, but too much personalization can freak people out.

Here’s an example from the travel industry. Many services always show the same front page aimed at unidentified customers who have not booked a trip yet. Even though it would be much more likely that I’d be interested in buying ancillary services for my upcoming trip instead of booking a new one.

For logged in customers it is clear you should personalise the front page. The situation gets more complicated if our cookies tell us where the customer is headed even though they have not logged into the service. In that situation, it could feel intrusive to offer excessively tailored add-on sales to the customer.

Trivago uses a cookie to show logged-out users a list of their prior searches.

When you have a customer that you know would benefit from logging in, drawing attention to the login function and telling the customer that their trip will be easy to manage after they log in is one solution to this quandary.

Luring the user to log in

Here’s how Danske Bank does it. The content shown on their front page depends on whether the user has been identified or not. Identified users are greeted with the login page to encourage logging in, and the content appears different from that shown to unidentified users.

Danske personalizes its content for logged-out but identified users.

The key to personalized content is knowing your user. If they are already using Apple Pay, no point advertising that any more. Or if they’ve got their ASP loan, it would be strange to keep pushing it.

Deferred deep linking reduces friction between the web and apps

If the user has already logged in through one channel, it is only fair to log them in through the next one too. Back in the day, we tried to sell Tallink the idea of making a mobile app to go with their website.

The product owner was worried about the friction caused by the channel switch, so he required that if the customers installs the app after booking a trip on the web, the app should fetch the trip information automatically without entering any reservation numbers. Further, if the user was logged in on the web, we should log them in in the app, too.

“It’s not possible. You can’t transfer parameters from the web to an app through the App Store, and there are limits to what you can do in Google Play too”, I said.

“Make it happen”, said the product owner.

That’s how I discovered deferred deep linking. Third-party solutions can transmit data to an installed application so that it can react to the data at first launch. Branch is a pioneer in this field but nowadays basic functionality is also available through Google Firebase.

This option is still not widely known, and many services treat users arriving through download links like total strangers.


If a user logs in and buys a trip on the web, the booking confirmation page is a great place to advertise your app. When the application has been installed, it’s only considerate to log the user in and find their booking automatically. But it still feels like most people don’t even know this is possible. The magic word is ”deferred deep linking”.

If nothing else, check your login chain for these

You can do all kinds of things without login. If your service does require logging in, Apple offers a few universal instructions for implementing logins. They are taken from their Sign in with Apple style guide but are generally relevant.

  • If you ask someone to log in, offer value in return
  • Wait as long as possible before asking for a login
  • In an online store app, let the user make the purchase before asking them to log in
  • Explain the benefits of logging in

Our next authentication story will delve into the pitfalls of passwords. They are not the only option, and by no means always the best one. The following article will focus on how to make strong customer authentication as tolerable as possible.

The post The easiest login is no login at all. Use cookies, but don’t be creepy. appeared first on Qvik.

]]>
https://qvik.com/news/the-easiest-login-is-no-login-at-all-use-cookies-but-dont-be-creepy/feed/ 0
Authentication plays a role in three business-critical phases. That’s why it matters. https://qvik.com/news/authentication-plays-a-role-in-three-business-critical-phases-thats-why-it-matters/ https://qvik.com/news/authentication-plays-a-role-in-three-business-critical-phases-thats-why-it-matters/#respond Wed, 26 Aug 2020 02:31:12 +0000 https://qvik.com/stories/authentication-plays-a-role-in-three-business-critical-phases-thats-why-it-matters/ Any service will benefit from well planned and executed onboarding, returning user experience and effortless payments. Authentication is something that each and every user will have to go through. But it still doesn’t receive anywhere near the amount of attention it should.   This neglect of authentication is due to a variety of factors. There […]

The post Authentication plays a role in three business-critical phases. That’s why it matters. appeared first on Qvik.

]]>
Any service will benefit from well planned and executed onboarding, returning user experience and effortless payments. Authentication is something that each and every user will have to go through. But it still doesn’t receive anywhere near the amount of attention it should.

 

Three key moments in service use involve authentication.

This neglect of authentication is due to a variety of factors. There are those who feel that the issue is trivial and the current solutions are good enough. Draw a login screen of some kind, job done. Others may think that authentication is a regulatory or technical matter that has little attraction from a business or design perspective.

It is a common misconception that customers are especially interested in your particular service. Those who work on a service obsess about it day in day out but, in certain lines of business, customers only visit your service once or twice a year.

Examples from the travel industry

The travel industry provides an interesting example of authentication issues. There, customers typically don’t use services very often. The end result can look something like this.

These services have since been updated, so I took the liberty of using them to illustrate my point.

Login is implemented with yet another user ID. Because users never remember their IDs, there is a dedicated function for restoring them.

It’s not enough to simply log in. Users then have to dig up their booking reference before they can view the details of their trip.

VR’s old site also required a separate username subject to certain formal requirement. One more ID to remember! I think special characters were not allowed in the password either, even though this is not stated in the image.

Authentication is an integral component of the payment transaction

In addition to activating new users and making life easier for returning users, authentication is increasingly important in payments too. The PSD2 directive has increased the use of strong customer authentication or SCA in connection with payment transactions.

A bad experience in this phase quickly translates to lost business.

Avoiding the need for authentication in connection with payment transactions is a whole other issue – one whose gospel I’ve been preaching every chance I get for the last few years. Here is my previous article on the subject, and more is on the way.

In our next authentication articles, we will look at avoiding any nonsense with passwords and using cookies without being creepy. Eventually we’ll also talk about how to make strong customer authentication as tolerable as possible. Stay tuned!

The post Authentication plays a role in three business-critical phases. That’s why it matters. appeared first on Qvik.

]]>
https://qvik.com/news/authentication-plays-a-role-in-three-business-critical-phases-thats-why-it-matters/feed/ 0