Blog Team Design Prototypes Why Continuous Authentication
Introduction How does it Work? Perceptions on Data Collection Onboarding Ideal Checkout Scenarios Building Trust Recovering after Failures to Verify Summary


Tackling design challenges


Our early design prototypes quickly pointed to three critical states we need to design for.

Onboarding - Merely explaining what Continuous Authentication is a steep task. We need to allow time for users to develop a new mental model that transitions from the traditional binary authentication to a more gradient like paradigm.

Ideal State - Naturally we are designing for an ideal state, that is quicker than today’s authentication methods, and more secure. Many questions around this phase rely on users relationship to their personal data and how they will opt-in to this service.

Failed State - The last state we need to prototype and solve for is what happens when someone’s authentication is uncertain and the system needs a “step-up” - another factor is asked of the user to authenticate.








On-boarding


Q1: How do we demonstrate how continuous authentication works?

A: Show context of use and data collection in action





I'd like it to show me what Continuous Authentication is while I'm doing it.

Check boxes help me know that I have to acknowledge and accept what I'm agreeing to.


We wanted to demonstrate how continuous authentication works in the context of online shopping by providing a realistic on-boarding experience. We created 2 versions of the customer sign-up web flow in high fidelity. One provides a step-by-step explanation of the kind of data being collected, the other gives little explanation and runs in the background.

We found that users often skip the verbal description of the definition, but with the step-by-step process, users can better articulate the definition of continuous authentication.




Q2: How do people feel about different types of data being collected?

A: Fear of detailed data being constantly tracked






I feel fine, companies are doing all this stuff (collecting location, device, etc. data) for marketing. It's common.

I don't want my face videoed all the time. I'm more comfortable with camera usage on my phone than my computer.



We listed all possible types of data that continuous authentication might collect and see how users react to each type of data. We also explored three different ways of prompting users to provide data. First is the online on-boarding web flow. Second is an app-based interface that has an Accuracy scale that changes as users provide more data. Third is an avatar game app where an avatar of the user prompts users for sharing data.

We found that people are generally comfortable providing data that are already being tracked constantly such as location, device and wifi-footprint. However, a large percentage of people are reluctant about providing facial data mostly due to the fear of being tracked without consent. There is more negative reaction towards the use on camera on the laptop than on the phone because the phone isn’t pointing directly to the face in a lot of the times. While providing data, users also felt more comfortable sharing when they understand how those data would help them get authenticated.







Ideal State


Q3: How much background information should we show?

A: Show all background information during on-boarding, but none for normal checkout.










I like to see permission and I like to know what it's collecting.
What if someone mimics my behavior?
How can they promise security?

There's no need to remind me how potentially invasive it is.



We tested two prototypes: one is the avatar game, where data is collected in the background while people interact with a fun little avatar of themselves. The other is a checkout authentication pop-up that shows the type of data being collected and verified at the moment.

We found that while people want to know exactly what data they are giving up during on-boarding. They don’t want to think about payment or authentication while they pay. Showing data being collected every time only reminds them how potential invasive the technology could be and costs trust in the technology.




Q4: How do people feel about data being collected during checkout?

A: Skepticism, and data gathering without opting in is weird.







This feels like something's wrong. This is so in my face male, late 40's

It's a little creepy but I'd use it. I forget my wallet all the time female, 30's

If this was on my own device it would have been better female, late 20's

It's just facial recognition.. Easier than Apple Pay female student, 25



We wanted to how comfortable people are with video capture in a physical space. We created a prototype for a small business context using an iPad-based POS like Square where the customer is immediately greeted with a live video capture of their face.

Users were skeptical about providing facial data for checkout, and were confused if had not gone through on-boarding first. Most users expressed negative feelings toward video recording from merchants device, but feel way more comfortable when the video is recorded on their device.




Q5: How can we build trust on a continuous authentication interface?

A: People don’t trust small merchants with their information.







I trust my bank, or Mastercard, but not third parties for payment.

If everyone is using it, I'll use it. Because it's indicative of trustworthiness.


We wanted to how comfortable people are with video capture in a physical space. We created a prototype for a small business context using an iPad-based POS like Square where the customer is immediately greeted with a live video capture of their face.

Users were skeptical about providing facial data for checkout, and were confused if had not gone through on-boarding first. Most users expressed negative feelings toward video recording from merchants device, but feel way more comfortable when the video is recorded on their device.







Failed State





Q6: What should the recovery experience be?

A: Falling back to an existing authentication method is a good mental model







It's reassuring if it (SMS 2FA) happens once in a while ...

If the trust score was very very low, I wouldn't want the 2nd factor to go through.


We wanted to test ways to recover when continuous authentication fails. Our prototype used the existing method –– 2-factor-authentication with SMS.

Most all of the users felt comfortable with using 2FA SMS. This confirmed some assumptions we had around 2FA becoming more and more commonplace and a known mental model for people.




Summary



Up to this presentation of findings at the end of spring semester, we have focused on the consumer first, honing in on these first design sprints on customer perceptions around creepiness as well as the hard part of onboarding this new technology.

As we push into the summer we will continue to answer some of the questions we have on the Consumer Experience while shifting towards Merchant Adoption and how it works inside stores. This will include Technology challenges and Business Strategy concerns.