close icon
Illustration created by Alina Najlis.

Step-Up Authentication is Key to Making Paywalls Work in Media

Find out how step-up authentication can make media paywalls more user-friendly while discouraging churn.

November 21, 2019

Illustration created by Alina Najlis.

Think Paywalls Always Mean Unhappy Customers? Think Again.

CTO's in the media world are constantly juggling multiple, sometimes conflicting, priorities with how they manage access to their content. They have to combat user churn, drive revenue through a mix of ads and subscriptions, and maintain healthy traffic and SEO rankings.

In recent years, the paywall has evolved into an effective tool for balancing these needs, boosting subscriptions by restricting what content non-registered users can access.

The New York Times, for example, increased its revenue through digital subscriptions under its paywall, even as ad revenue declined. However, using a paywall often comes at a cost to user experience (UX), and companies are wary of driving away users by forcing them to enter in their credentials.

Step-up authentication offers a way for media companies to balance security and UX, by only demanding that users enter their credentials under certain circumstances.

How Step-Up Authentication Applies to Media

As we explained in our introduction to the topic, step-up authentication allows you to make some content easily accessible to users, but request authentication when users want to access more secure content.

One of the primary use cases for step-up authentication is a membership model that only grants full access to a site to paying, registered users, i.e., a paywall.

So how do you define more secure content? If you have a metered paywall, a registration box appears once a customer has visited their allotted number of pages per month. For a hard paywall, users might have to register to see the vast majority of a site’s content. And in a freemium model, certain pieces of content are reserved for paying users.

Step-up authentication becomes important for users who are already logged in but engaging in riskier behaviors than just browsing through content. For example, if a customer attempts to change their payment information, that would trigger a request for multi-factor authentication (MFA). MFA requires an additional form of credential, such as a one-time code or a fingerprint scan, to confirm that the person accessing this restricted area of your site is who they claim to be.

Media companies can use Identity Management to solve challenges

Having an extra layer of security that “steps up” to protect payments is crucial since phishing and credential-stuffing attacks are on the rise. Generally, friends sharing the same set of credentials for a subscription is a low-level worry in media, but hackers using stolen credentials poses a much more serious threat. But even in the face of this threat, a good step-up authentication solution won’t represent an unpleasant disruption for users. Auth0’s Guardian MFA makes the authentication process as easy and unobtrusive as possible. With Guardian, media companies can let users authenticate with a push notification on their smartphone, rather than forcing them to log in to their email or remember the answer to a years-old security question.

How Step-Up Authentication Makes Paywalls User-friendly

User churn is the great enemy of media companies. A Lenfest Institute study found that publishers’ online products have a median churn rate of 50% over a year, and while some customer turnover is inevitable, holding on to existing subscribers is still hugely important to maintaining a healthy media company.

Naturally, media companies are reluctant to make engagement more difficult by introducing friction around authentication. Forcing your readers to log in every time they want to access content is bad business, which is why step-up authentication only imposes that requirement under special circumstances.

The good news is that customers will tolerate authentication requests, provided they are employed thoughtfully. In a 2018 Experian study, 66% of surveyed consumers reported that they like online security protocols because they make them feel safer.

When you employ step-up authentication with Auth0, you can still keep friction at a minimum with long-lived sessions, which can keep a user logged in to your site for up to a year. Auth0 would only require them to enter their credentials if they attempt to access more sensitive areas of your site.

Another major UX advantage for multi-brand media companies is Single Sign-On (SSO). When you enable SSO across all your properties, users with bundled subscriptions can navigate freely between them. But even with SSO, you can use different paywall models across different brands. This way, one brand could have a metered paywall, while another could offer freemium content. Step-up authentication will act as a gatekeeper to ensure users only see what they’re paying for, but since they’re still logged in, you never lose sight of their identity and behavior, which are crucial to refining your understanding of your users.

"The media companies having the most success with paywalls are the ones that don’t treat them as rigid barriers. Find out more about Auth0 step-up authentication."


Tweet This

Experimentation and Customization are Key

The media companies having the most success with paywalls are the ones that don’t treat them as rigid barriers. Instead, they experiment with how much content to put behind a paywall, and when to request authentication.

The Economist spent six months tinkering with its number of free articles per month before landing on five as the magic number, while simultaneously publishing a significant amount of content in front of the paywall. Its circulation profits have doubled in the past five years. The Washington Post traditionally removes its paywall for hurricane-related coverage, which attracts readers and acts as good PR.

The most effective paywall strategy is unique to every media company, but to discover what the right mix is for you, your authentication solution has to be flexible and allow for easy alterations. Auth0’s platform, with its easily customizable Rules, lets you quickly change what content falls in and outside the paywall.

Users can access content using multiple devices

You can customize further with adaptive or contextual authorization, which are interrelated concepts with step-up authentication. Adaptive authentication is triggered by user behavior, rather than the content they are trying to access. This type of behavior could be a user signing on to a new device, multiple devices at once, or from a suspicious location. For example, if a user logs on in Australia and then logs on fifteen minutes later in Delaware, this will trigger an authentication request.

Whether or not to implement adaptive authentication depends on your business model. HBO, for instance, is quite liberal in allowing shared credentials logged in at the same time, whereas other media companies are more restrictive. Whatever your needs, Auth0 has highly customizable MFA capabilities around adaptive authentication.

Step Up to Security That Won’t Drive Users Away

As media companies seek to limit their reliance on ads, and customers become more comfortable with subscribing to their preferred media, paywalls will increase in prevalence and importance. A 2019 Imperial College/Brave Software study showed that the trend is already taking hold, with 33% of sites on the top-1000 news index using some form of paywall.

"Step-up authentication offers a way for media companies to balance security and UX, by only demanding that users enter their credentials under certain circumstances."


Tweet This

But all paywalls are not created equally, and the media companies who use them effectively will be those with an approach to authentication that doesn’t increase churn. According to the Imperial study, a quarter of news sites outsource paywall functionality to a third-party, but of course, those aren’t created equally either. Given how high the stakes are, it’s essential to outsource this crucial function to an authentication partner like Auth0, with the customizability to implement step-up authentication under just the right circumstances.

About Auth0

Auth0 by Okta takes a modern approach to customer identity and enables organizations to provide secure access to any application, for any user. Auth0 is a highly customizable platform that is as simple as development teams want, and as flexible as they need. Safeguarding billions of login transactions each month, Auth0 delivers convenience, privacy, and security so customers can focus on innovation. For more information, visit

  • Twitter icon
  • LinkedIn icon
  • Faceboook icon