Identity theft hits 1.1M reports — and authentication fatigue is only getting worse

From passwords to passkeys to a real alphabet soup of other options-second-factor authentication (2FA)/One-Time Passwords (OTP), Multi-Factor Authentication (MFA), Single Sign-on (SSO), Silent Network Authentication (SNA)-When it comes type of Identity authenticationThere is little consensus between companies or customers.

What is an agreement, however, is the need for these tools. THE Fido Alliance found that more than half of customers (53%) experienced an increase in suspicious messages and online scams in 2024. This was largely motivated by SMS, emails and telephone calls, and was only exacerbated by AI progress.

Even at a time when we continue to see amazing increases in fraud and related losses – the Federal Commerce Commission I received more than 1.1 million identity theft reports last year – companies must do their best to walk on a raid rope between robust security and effortless convenience. Over -index on one or the other and you risk alienating customers – too few hoops and you lose their confidence, too much and you lose their patience.

So how do companies establish this fragile balance and implement effective authentication solutions?

The customer is still right

Regarding authentication, what companies decree to employees rarely result in customers. We went to Web cars As the only form of 2FA for the authentication of employees, a mandate on the scale of the company which took a few weeks. This “forced adoption” works when your employees have no choice, but your customers do.

Recently, I wanted to book a hotel for my family vacation, so I went to my favorite travel site, I found the perfect room at a reasonable price and I went to finalize the transaction. One problem: I continued to encounter a problem with Captcha on their page – once, twice. After the third attempt, I left, I found the same room at the same rate on the site of their competitor and reserved.

Companies can devote massive high -end marketing budgets that pushes customers to their websites, products and services, but if the friction in the user experience prevents conversion – authentication often as an initial contact point – it is a wasted investment. Forty percent Companies say that one of their most urgent challenges is to find a balance between security and customer experience, in particular the reduction of friction when registering the account.

Customer behavior is difficult to modify, in particular around the adoption of new technologies. It doesn’t matter if biometrics or public key cryptography are more secure, if it is not just as transparent to use, the adoption of customers will be late. Why do you think so many people always count on passwords that are easy to guess (you know who you are!). The reality is that you simply cannot force the adoption of customers – companies that obtain authentication correctly recognize the needs and limits of their customers, meet them where they are comfortable and understand that this cannot be a single size.

A signal -focused future

In this scrum on friction against freedom, the future of authentication will be motivated by continuous signals rather than arbitrary identity control points such as connections or purchases. Consider authentication as a braking system, where companies can depress or release the pedal to increase or decrease friction according to customer behavior.

Suppose I receive a promotion for 20% reduction on the new tires in my automatic shop. If I click on the notification, I expect a transparent connection experience – they have sent me the message, I am a longtime customer and I use their application from a known device. But let’s say I travel to Kansas City to work. If I open my laptop and I am always connected to my favorite e-commerce platform, I expected them to disconnect or demand proof of identity To continue the session, because I am in a completely different place depending on the history of previous purchases.

Think of the applications – shopping, e -mail, social media, home safety, streaming services – where we connect once and rarely (if never). What happens if your device is lost or stolen or if your session is diverted? Companies must adopt a zero-frust state of mind, where authentication is not simply to show your identification at the door, so you are free to browse the club, but a continuous process based on the risks which evolves by friction according to your activity.

The wrinkle here, like so many sectors at the moment, is AI. Earlier in my career, I built boots detection models for a startup to distinguish human behavior from machines. We monitor the number of clicks that we would get from the IP channel and the user agent and if it was more of N in a second, we assume that it was a bot and block this traffic. But now, when we pass the reins to AI assistants and autonomous agents to make reservations for dinner, set up appointments or buy cinema tickets, how do you distinguish a harmful bot or work working on your behalf? It is the future of authentication and work -like work companies of industry continue to pioneer.

Authentication: a ‘And’ not ‘Or’ proposal

Despite new methods of authentication in perpetual development and an ascent of regional requirements as Singapore Singpass or the EU digital identity portfolio, No tool will ever have a full market share – some customers always prefer the simplicity of options like OTP, while others will require the Striety of Passkeys or other modern tools.

There will be activities to provide a width of choice to meet customers where they are and Implement strategies to keep the root of each SMIR / phishing safety method, social engineering or a fullness of other identity -based attacks. This fight against the war of authentication between friction and freedom will not be won by those who favor one or the other, but those who can walk on the striped rope between the two to guide their customers towards transparent but secure experiences.

Anurag Dodeja is responsible for the product, user authentication and identity at Twilio.