We’re obviously really passionate about identity. Businesses are excited about the potential user experience (UX) and security benefits of modern identity technologies. But what do consumers think?
To gain a better understanding of public attitudes to modern identity, Okta surveyed consumers about their experiences with new authentication options, their enthusiasm for passwordless alternatives, and their existing password security habits.
Methodology and Motivation
Before we explore the results, it’s worth talking about why Okta surveyed individual consumers. After all, Okta doesn’t sell technology directly to the public. Our customers are businesses, governments, and nonprofits.
It’s a valid question. Here’s the answer: individuals ultimately use our products, whether they’re consumers interacting with the Okta Customer Identity Cloud (CIC) or employees using Okta’s workforce solutions.
Okta wants to protect the digital economy. But to do that, we need to build products that consumers actually want to use. We need to build something that’s meaningfully better than legacy password-based authentication.
This means we need to test our assumptions about consumer attitudes. We must understand their needs, preferences, and habits.
By speaking directly to consumers, we can learn their likes and dislikes. We can measure their exposure to modern identity technologies and see which ones they enjoy using. By delivering products that align with the needs of consumers and employees alike, we can start transitioning away from passwords and move towards a more secure future.
So, let’s talk about methodology. Okta’s Customer Identity Cloud Unit (CICPU) conducted a series of 60-minute Zoom research sessions with consumers from around the globe. These sessions consisted of two parts.
The first was a discussion about authentication preferences and their attitudes to password security. We asked about their best and worst authentication experiences, as well as their exposure to modern identity technologies.
The second section consisted of a usability test. Participants were asked to create new accounts on a number of platforms using a variety of modern identity approaches and asked about their likes and dislikes.
We spoke to 23 participants in total, with those from the Americas representing more than half (55.2%). EMEA and APAC participants accounted for 30.4% and 17.4% respectively.
Our study didn’t have the largest sample size, but that was by design. We weren’t interested in doing a quantitative study, where we looked at habits in aggregate. Our research was qualitative. We wanted to see the nuances and opinions that aren’t easily identified at scale.
Meet The Consumers
Our respondents came from a diverse array of backgrounds. They represented ten different industries, ranging from retail and manufacturing to education and healthcare. All reported a strong level of confidence with technology, with 60.9% claiming to be “very” tech-savvy and 39.1% describing themselves as “somewhat” tech-savvy.
Despite a high level of self-described tech savviness, the overwhelming majority of respondents failed to adhere to password security best practices. Few reported using a non-browser-based password manager, like 1Password or LastPass. Most said they reuse passwords across devices or apps.
But there was some nuance. Just because they didn’t necessarily use perfect password hygiene doesn’t mean they were totally unaware of the risks they faced or had no wish to improve.
Many claimed to use separate passwords for their most sensitive accounts, such as with banking or healthcare applications. Some stored their passwords in spreadsheets or in their phone’s Notes app.
Although this is vastly less secure than using an encrypted password vault, it’s arguably better than re-using potentially weak and compromised passwords. And it indicates an awareness of the risks associated with account compromise and a willingness to improve their security.
Many of the interviewees described this as a “headache” but weren’t actively looking for alternatives, as they didn’t know where to start.
Consumer Attitudes to Identity and Authentication
During the second phase of the interview, CICPU asked our interviewees to create accounts for a variety of platforms and sign-in with their credentials. These included the social websites Twitter and TikTok, the Washington Post, and Airbnb.
Curiously, the attitudes of our panel were often shaped by how well they trusted a particular company and the general usability of the site in question.
TikTok was a good example of this. Although TikTok is the fastest-growing social media platform in the world, with over 1bn monthly active users, it’s also embroiled in controversy. The company’s Chinese ownership has invited scrutiny from lawmakers on both sides of the Atlantic, with some leading calls for the app to be banned.
For many of our participants, their authentication choices were informed by what would share the least amount of personal information rather than security or convenience.
They increasingly opted to use their phone number or an email address rather than social login options, which may reveal their personal info on other platforms. They believed doing so would limit the amount of personal information a platform like TikTok could obtain.
TikTok offers a wide range of sign-in options (although slightly fewer for registering). But this wasn’t necessarily a net benefit, according to our participants, who felt they added to a cluttered and confusing user experience.
Our research highlighted other UX shortcomings within TikTok, which lengthened the time required to access the app for many participants. These included the placement of the form fields used to input the one-time password (OTP) code generated when using multi-factor authentication (MFA). Additionally, many participants faced difficulties in understanding where to look for the OTP code.
TikTok had the second-highest sign-in failure rate (33.33%) and the highest sign-up failure rate (38.89%). It also had the longest login completion time (69.09s) and the second-longest sign-up completion times.
By contrast, the Washington Post had the lowest failure rates across login and account creation flow (7.14% and 5.56%, respectively) and the quickest completion times. It also offered the most popular identity experience of the sites studied.
So, what’s the secret sauce behind the Washington Post’s success? In short, it’s among the simplest experiences of those surveyed. The Washington Post also required comparatively less information when compared to the registration flows of other sites.
It’s worth noting that the Washington Post also allows users to authenticate with a one-time “magic link” sent to their email accounts. Our participants overwhelmingly described this as “unnecessary,” as it required additional steps to complete and broke the login flow, with participants opening another page to sign-in.
The context was an unavoidable factor in how our panel chose which identity technologies to use. In the case of Airbnb, the majority of our respondents chose to use their phone number and email address as they were eager to maintain visibility over their bookings.
The Factors Driving Authentication Choice
This exercise wasn’t merely about seeing how individuals felt about certain websites’ authentication flows. It exposed our participants to a variety of authentication methods. We could observe which they preferred and which ones they avoided and learn the reasons why they chose the options they did.
The factors that influence a person’s decision to use a particular authentication technology are multifaceted. They include things like trust, context, and familiarity.
In every website tested, email consistently ranked as one of the top-two authentication methods among our panel. In many respects, this didn’t come as a surprise. It’s something everyone is familiar with. Old habits die hard.
From a technologist's perspective, email and password-based authentication feel archaic. It’s a method that’s vulnerable to things like credential stuffing and phishing. Our participants, however, saw it as a tool to protect their privacy from organizations they didn’t fully trust.
Many expressed the belief that email-based authentication limits the amount of personal data shared with a website, especially when compared with other modern methods, like social login. Others avoided using social login and expressed fears about a potential contagion effect, where if one website finds itself compromised, the attacker would be able to access their data on other websites.
In practice, things are a bit nuanced. These fears, while understandable, don’t reflect the reality of how modern authentication works and how it can protect user privacy and account security. This research illustrates the urgent need for the identity industry — of which Okta is a leading member — to educate the wider public about the relative security of the various authentication methods currently available.
Things are equally interesting when you look at the methods our participants opted not to use. Few, when presented with the opportunity, chose to use “magic links” or QR codes. When asked why, they said it was because they were unfamiliar with them. This is true especially during sign-in when participants want the process to be as seamless and as quick as possible. For many, spending time learning modern/new login options during sign-in is a luxury.
Naturally, people are inclined to use things they understand over things they don’t. While the adoption of less-common authentication technologies may grow organically, driven by developer and business adoption, it’s not unreasonable to think that education may accelerate this process.
Finally, let’s touch upon the context element. As our interviews showed, people’s choice of authentication technology is heavily influenced by the website or platform they’re using.
A significant number of participants said they used more secure authentication methods (with biometrics and multi-factor authentication cited as examples) when accessing websites and applications that house sensitive personal information. These include government websites and banking applications.
This finding is heartening. It illustrates a level of understanding about how some authentication methods are more secure than others and a willingness to adjust their behavior based on the sensitivity of the application.
Our study leaves a lot to consider. Here are our biggest takeaways:
- Modern identity can improve UX, but if the UX foundations are infirm, it might confound users. A great example is TikTok, which offers a myriad of authentication choices, leaving consumers unclear about what to do.
- If it ain’t broke, don’t fix it. The Washington Post offers an incredibly fluid authentication and account creation experience, leaving other identity tools looking superfluous in the eyes of consumers. There’s a question to be asked about “diminishing identity returns,” but that’s for another article.
- People want to do the right thing when it comes to password best practices and hygiene, but they often choose convenience over security. While their execution is sometimes lacking (with reused passwords stored in spreadsheets and notes), their heart is in the right place.
- The way consumers authenticate is driven partially by the trust. UX is an important factor, certainly, but it’s not the only one.
We’ve long argued that the human element is among the most important in a business’ security posture. Your safety depends on your customers and employees making the right choice. We can make that choice easier by offering a better UX, but we also need to understand their preferences and fears. We need to understand why people make certain choices.
This study is, we hope, an important step in understanding that human element. Choices are, by definition, contextual. A myriad of factors influences them, ranging from the UX composition of a website to the customer’s sentiment toward an organization.
Ultimately, when it comes to identity, there’s no such thing as a “one-size-fits-all” solution. And if you want to learn about how Okta can deliver an identity solution tailored to your organization’s unique needs, reach out to the team here.