Home / Banking Strategies / Finding that balance between fast and friction

Finding that balance between fast and friction

Security experts weigh in on how banking institutions can keep customers safer without bogging down their mobile user experience.

Jun 2, 2023 / Fraud Prevention

Are there customers, particularly Gen Zers accustomed to frictionless mobile experiences, who might be bothered by the extra keystrokes that are part of an institution’s efforts to protect their money?

BAI research finds that Gen Z is especially willing to change banks for what they see as a superior mobile experience, so what kind of challenge does this present in protecting accounts without bogging down the experience?

Security experts give their take on this topic and share best practices for how institutions can best balance customer experience with real-time security.

Brandon Koeser, financial services senior analyst, RSM US

Banks offering a superior in-app user experience are finding that they can add more security to log-in requirements without diminishing the overall customer experience.

Increasingly, all generations are placing more emphasis on security. This presents a unique opportunity for banks to structure mobile security standards for all their users. One way that banks are approaching mobile device security is through enhanced education efforts. Even though security awareness information is universal to all, banks can tailor delivery to more at-risk user groups.

Common methods deployed by banks for mobile app security include two- or multi-factor authentication, and unique and strong password requirements. A unique and strong username and password helps establish a secure baseline for mobile banking, yet it becomes increasingly frictionless as mobile devices allow for the password to be saved on the device and uploaded at log-in through use of face ID or other biometric tools.

Multi-factor authentication provides a more robust security measure when done correctly. If the multi-factor authentication is performed through a text message rather than a phone call, it likely will have greater acceptance. The whole point of mobile banking is to keep it mobile.

Teresa Walsh, global head of intelligence, FS-ISAC

Cybersecurity needs to be a top priority for any financial institution – the threat landscape is too volatile and rapidly shifting for anything less. However, your customers don’t necessarily know that. Institutions need to make sure they consider the expectations that their customers, particularly younger users, have for using their services.

Gen Z users in particular are heavily focused on convenience and ease of use, and are likely to claim that is a higher priority than a robust cybersecurity infrastructure. When implementing measures to protect customers, institutions also need to be aware of how they can protect customers from their own lack of security vigilance, which only happens through continuous education on cyber hygiene.

One strategy many firms use is to “shift left” or incorporate security considerations into the very earliest design stages of new products. Further innovation may help resolve this conundrum. New technologies like biometric authentication and password-less security are emerging that promise to promote sound cybersecurity readiness and resilience while ensuring a smoother customer experience.

Mark Sangster, chief of strategy, Adlumin

When dealing with security, remote and mobile transactions create additional security challenges when identifying verification and authorization. Stolen accounts and credentials are easy for criminals to collect and use when they don’t have to walk into a bank and face a familiar teller.

Mobile banking must use multiple forms of authentication. Multi-factor authentication has come a long way in terms of defensibility and frictionless customer experience. Biometric authentication on mobile devices creates greater security than simple usernames and passwords alone.

Contextual MFA is the next step. Interrogating mobile connections to look at registered devices, geolocation, time of day, number and nature of transactions all contribute to a behavioral signature of customer activity and make it easier to identify anomalies that signal suspicious activity and fraudulent transactions.

This form of behavioral analysis can identify suspicious transactions and then flag an additional authentication step. For example, a transaction connection from unknown devices from a different geolocation like Europe that don’t match typical business days for the client can trigger an additional interrogation through a token sent by SMS or email, or recovery questions, or validation by matching recent bank transactions. This way, you protect clients when the transaction seems suspicious but don’t create friction for typical connections.

When protecting Gen Z, minimizing friction or providing personalized communications, when necessary, dovetails with their cyber values. For example, asking for additional authentication, with friendly language that demonstrates the bank’s commitment to their safety and value as a customer, can offset any frustration with a second or third step when it comes to banking.

Katie Kuehner-Hebert is a BAI contributing writer.


We explore the current state of mobile banking—including the quest to improve the day-to-day user experience and protect customers from fraud—in the BAI Executive Report, “Building on mobile banking’s success.”