May 2, 2023
Sebas Monti is one of our Product Security leaders. He is also a great adventurer and is fascinating about drinking mate while working in trains around the globe. Sebas is sharing his expertise tips from four important perspectives to optimize platforms/apps security features: _security mindset, measure, policies set-ups and recovery process. _
Security Mindset
It’s normal at first to have a “business” mindset in such critical products in your platform/app like the registration process, Login and different Account Recovery processes. We want all the users inside the platform and a conversion tending more than 90%. The problem is when those users are not legitimate, and the real ones suffer a loss in your ecosystem. What happens then? You might need to cover the user’s losses, and also pay the reputational cost (that is immeasurable). For that reason, you need to focus on those features with a security mindset, finding the balance between security and conversion within your users.
Measure
First knowing the current status is the key.
How your customers use your security features, for example: the Login. This could be done with conversion funnels, to see how many users tried to login and did it successfully, how many tries it took, and how many users didn’t succeed (they dropped).
How many possible/confirmed fraudsters do we have in a timeframe? For example, we can do that Month over Month.
Identify and classify users based on their behavior or profiles. For example: if you have a platform that handles monetary transactions, you can group them by their TPV (Total Payment Volume).
Define smart security policies for your products
Now it’s time to define security policies adapted for each group. It’s not the same as securing a customer/user that rarely uses the application that doesn’t make transactions at all, as a customer that runs a business and has a lot of transactions with a high TPV number. That’s the key. Fraudsters will target customers with high TPV or businesses to steal PII data from them. For a regular user, you can make the 2FA usage optional. You can drive them to configure 2FA explaining the benefits and risks if they don’t do that. But for potential targets, you might want to make that mandatory.
Always offer a wayout/recovery process, avoid dead-ends.
You always need to offer a way out. When handling security products/features like a Login you will need an account recovery process. The challenge comes when the customer loses/forgot all their factors. Let’s say that I forgot my password, and also, lost access to my email (or they were changed by someone else). We need to offer a process to our legit customer, manual or automated to recover its account. A dead-end's not only a painful experience but also, will negatively impact your competitive NPS. Customers search apps/platforms that offer solutions when they have problems.