Buy, Not Bye

Published May 11, 2021

It's just a couple minutes left until the 60% off sales starts. Alex is sitting in front of his laptop and waiting for the moment to buy everything in his cart, where discounted Xbox Series X and games are quietly, happily waiting. Most retailers offer large-scale sales three times a year at the most, during which seldom-seen deals and discounts will be available to grab.

12 AM

(Alex clicks on the ‘Check Out’ button with excitement)

Wait, I need to login? Fine...

What? Wrong password?!? OK, let me try again...

Still wrong? Hmm…

12:05 AM

[Sigh] Alright… I have to reset my password…

12:08 AM

Hmm, but which email did I register my account with? Errr, let me check.

12:10 AM

Seems to be Yahoo mail!... Hang on, friends calling me about dinner tomorrow…

12:15 AM

Alex shuts down his laptop and leaves – Goodbye

Will he come back? Maybe.

Would he be able to login? Not sure.

Will he miss the deal? Highly likely.

Will he buy eventually? Unclear.

Was he a happy customer? Definitely not!


Does this sound familiar? Most likely, it does if you ever shop online. This happens every day to consumers on nearly every retail website. Good users are asked to login repetitively when they try to shop online. Most e-commerce websites automatically logout users’ sessions after 30 minutes of inactivity. Short web sessions are viewed across much of the application security world as a standard security practice. Traditional thinking is (or was) that shorter sessions prevent fraud that might occur when different consumers use the same computer logged into the same merchant session. However, is a short session really necessary in reducing fraud? How could Amazon always keep users logged in? The more questions you ask, the more you realize how little security benefit is really brought about by a defined short session, and how significant the lost opportunity is.

Hundreds of millions of marketing dollars wasted!

Capturing the attention of consumers and leading them to the website is an expensive proposition for most online retailers.

Based on an industry research with top sellers in the online Furniture & Appliances market, over $250 million per year is spent through various marketing channels to generate awareness and drive users to online e-commerce websites. Once on your site, even seemingly small improvements in the conversion from shoppers-to-buyers can yield significant revenue and margin improvements.

Unfortunately, a seemingly small amount of friction in the user journey can halt users and stop them from converting—especially in the hyper competitive e-commerce market. Eliminating such types of friction seems to be a “must have” in order to make dollars spent on marketing worthwhile.

Auth friction translates to conversion loss

The login friction that Alex experiences is not “no-cost.” In fact, data insights drawn from 10 large retailers in North America (annual active users > 30 million) consistently showed that users who can login successfully are 40% more likely to convert than users who are unable to initially login.

Users who are unable to login may still choose to guest checkout, but only if the website offers guest checkout and users are still keen on proceeding with their purchase. Retailers generally prefer that users login when they come to the website, so they can gather information to provide a customized experience for every consumer. Not entirely surprising is that a few of the largest retailers have stopped supporting guest checkout on their website. In these scenarios, before continuing shopping, the users who are unable to login will have to go through the often painful process of retrieving their password, which can become an increasingly frustrating experience.

Ask anyone to name the most successful online retailer in the 21st century and you will likely get one answer: Amazon. To capture what Amazon has achieved with delivering a seamless digital experience, you must start by removing authentication friction for legitimate users when they land on your page, and welcoming them with a customized message and cart.

Trend of authentication friction persists across industries

When previously logged in users return to a website, across various industries who provide digital experiences to users:

  • 70% will be able to login successfully on their first attempt
  • 20% will struggle to login but will eventually get in through multiple attempts or even the friction of a password reset
  • 10% will never succeed and will abandon the attempt to log in

But among the 10% of users who abandoned login, typically >50% are legitimate users who have successfully logged in and shopped before. If users are motivated enough, they may dial in to customer service to resolve the issue. And, guess what? Americans waste a collective 900 million hours waiting on hold every year, and that drives significant costs to retailers to maintain call centers, even if intelligent automated tools are implemented. While there are multiple reasons that users call in for call center support, login difficulty is the #1 reason observed across the board.

The market demands a solution to save legitimate users from repetitive login challenges, to yield more satisfied customers, drive revenue, save costs, and improve brand loyalty.   

Do not ask consumers to make security decisions

Retailers who truly wish to provide users with an enhanced e-commerce experience have clearly made an effort to improve the situation. Two prevalent solutions to this problem involve either allowing users to select ‘remember me’ or the ability to login via social account. These measurements may seem helpful at the surface, but at core, do not achieve the goal of balancing usability and security.    

If an enterprise decides on the minimum length of password as a requirement for application security, why is it the consumers’ responsibility to decide on if they should tick that ‘remember me’ box? Well, a surprising result was returned during recent user behavioral research conducted with a top 5 US retailer:

  • Less than 10% of users who attempt to login would choose ‘remember me’
  • More than 30% of those who choose ‘remember me’ allowed activating the functionality on a shared device or unsafe environment!

Social login is not THE solution either. Users can be reluctant to login with social accounts such as Google or Facebook (tying retail accounts with social media accounts), with the concern of personal data being used for ad targeting. Low adoption rate has made the solution ineffective in addressing the problem of login friction, not even mentioning the brand dilution issue created when consumers authenticate on a third-party framework.

So, that's it?

No, the news isn’t all bad. There are steps retailers can take to drive top-line growth and help users in login distress, while ensuring malicious actors are kept at bay. For example, by implementing solutions to reduce authentication friction for recognized, legitimate returning users—ultimately good users—will experience a password-less/continuous login on the retail websites they choose.

Rather than giving up and opting to live with millions of dollars in revenue losses each year, the time has come to take action. F5 Shape Recognize is designed and built precisely to answer this call to action through the power of machine learning and analytics insights across the company’s anti-fraud network.