Providing users with a seamless authentication process is critical in building a successful app. But the challenge is that you must ensure it is a comfortable and user-friendly process that is also sufficiently secure to meet the regulatory requirements governing personal privacy rights.
During onboarding, users must share private information, such as their phone numbers, email addresses, and personal backgrounds, to prove their identities and authenticate their relationship with their smart objects. The process can be complex because it needs to withstand hackers’ attempts to intercept personal data.
Recognizing the potential vulnerabilities of personal data in a digital world, regulators have put in place stringent data protection measures that are enshrined in privacy and security laws. In 2018, the European Union promulgated the General Data Protection Regulation (GDPR) governing the human rights of its citizens, whether they are based in Europe or elsewhere in the world. Recognized as the toughest personal data privacy regulation, the GDPR has become the global standard.
The human rights the regulation protects are articulated in Article 8 of the Charter of Fundamental Rights of the European Union, namely:
Everyone has the right to the protection of personal data concerning him or her.
Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law.
Falling foul of the GDPR and compromising a person’s data privacy comes at a hefty price. The company will either face a fine of up to Euro 10 million or pay up to 2% of a company’s previous financial year’s global turnover as compensation, whichever is highest.
With the stakes this high, your business’s success depends on getting the authentication process right - simple, seamless, and secure without bogging users down in an overly complex and tedious onboarding process. By remaining at the leading edge of technology advancements, Velmie enables you to build advanced, compliant, and future-proof fintech software solutions that meet these challenges.
How Velmie’s seamless auth works
The process of registering to get access to an app usually works as illustrated in the chart below:
The user is first asked to enter a phone number to which the system sends an OTP (one-time password). They then need to enter a password into the application, after which the user sets their passcode for the first time. After completing all of these steps, the system authenticates the user.
This is a relatively simple and quick way to register on the system and allows for seamless authorization on different sites.
Authorization works similarly with existing user registrations, with the first two steps repeated – sharing the phone number and receiving the OTP. Then the user is required to use the passcode set up during registration.
The scenarios described above are error-free and don’t include instances when something goes wrong, for example, when there’s an error, or the connection is lost.
The solution provider must have systems to deal with these if they want seamless and secure authentication. For instance, below, we illustrate what seamless authorization would look like if the user is trying to register but has previously registered their phone or is trying to log in, but their phone has not been registered yet.
These error messages are helpful because users immediately understand what went wrong and how to respond. Handling errors this way makes sense if it’s a genuine client with no bad intentions. But what if it’s a hacker trying to access personal data?
At first glance, everything looks in order, but digging deeper, the data the application uses to identify the customer, namely the phone number, is vulnerable to a hacker trying to collect a list of the app’s client phone numbers.
The different behavior of the app can tell the attacker which phone numbers are already registered in the system. This valuable information can be used for all kinds of scams.
How to protect data?
Any software provider that has created an app is responsible for taking care of users' personal data and ensuring hackers don’t get access to this sensitive data.
How do you protect the users’ personal data during the authentication process? You need to adjust how the app reports errors during the authorization process to ensure the app doesn't expose personal information. For example, you can use an authorization process that doesn’t generate an error when an unregistered phone number is submitted, and thus an OTP is not sent to the specified number.
In this scenario, the application seems more secure but becomes less convenient. Users often click "Sign-up" instead of "Sign-in" and vice versa for various reasons. For example, the user forgets whether they have ever registered on this app or thinks they have been registered on it for a long time. Thus, after sharing their phone number, the user may wait for an OTP that is never received. In this event, the user will likely think the application isn’t working and walk away.
So how do you enhance the authorization process to achieve both a seamless and secure authorization process? The diagram below shows how this can be done.
Users, both new and already registered, enter their phone numbers. At that point, the system doesn't check whether the phone number entered by the user is a registered phone number on the app. Instead, it just sends an OTP to it, and if the user owns the phone, they will receive it and be able to move on to the next step. If not, it’s clear the person does not own the phone.
The next step determines whether the user is registered or not. If not, the system invites the user to register, and if they are not interested, they can refuse and close the app. But if the user does agree, the system prompts them to input the passcode they received on their phone, thereby completing the registration process.
The main difference between this scenario and the previous ones is that the application identifies whether the user is registered only after determining that the user inputting the phone number owns the phone. It prevents the hacker from accessing personal data, whether the phone’s owner has registered or not on the app.
Not only does this process avoid confusing the client, but it also protects the client’s personal data. This authorization process is both convenient and secure for the user because it flows seamlessly and prevents a potential hacker from accessing the information.
Data breaches are making the news headlines regularly. According to the Identity Theft Resource Center, there was a record number of instances where data was compromised in 2021.
To keep your name out of the news or put your business at risk of incurring a multi-million euro fine, it's critical to stay one step ahead of the criminals by prioritizing the data protection and security of your authentication process. As discussed in this article, it’s possible to do this without compromising the ease with which your users are authenticated, and it could well become your competitive advantage.