Web applications face a wide range of security threats, but customer accounts are often the target. Our recent survey of Australian businesses showed a need for stronger account protection measures. Those controls can add friction for users if they are applied too broadly. This article looks at ways to balance security with user experience in web applications.
The Challenge: Compromised Credentials
Our survey found that 21% of organisations cited reputation loss as their main cybersecurity challenge. That result points back to a practical security problem: compromised credentials.
Causes of compromised logins include:
- Phishing attacks
- Password reuse across multiple sites
- Data breaches exposing user credentials
- Credential stuffing attacks
- Keylogging malware
These risks make password-only authentication a weak control for customer account protection.
Moving Beyond Traditional Multi-Factor Authentication
Multi-Factor Authentication (MFA) adds a useful security layer, but it can also add friction. Our survey found that only 40% of organisations implement bot protection, which leaves a clear gap around automated attacks.
While 77% of surveyed businesses use MFA, that figure can hide other weaknesses. MFA alone doesn't protect accounts from every attack path.
Learn more about the limitations of traditional MFA
Contextual Security: A User-Focused Approach
Contextual security helps reduce that tradeoff between protection and user experience. It assesses the risk of each login attempt using factors including:
- Location of the login attempt
- Time of day
- Device used
- User behaviour patterns
- IP address reputation
- Network characteristics
By analysing these contextual factors, web applications can apply adaptive authentication without asking every user to complete an extra step every time.
Figure 1: Key factors considered in contextual security
Implementing Contextual Security in Web Applications
To improve account protection without adding unnecessary friction, consider these controls:
- Real-time monitoring: Track user activity and detect anomalies.
- Adaptive authentication: Adjust security requirements based on the risk level of each login attempt.
- Behavioural analysis: Use machine learning to understand user behaviour and flag suspicious activity.
- Transparent security measures: Apply checks that don't require additional user actions for low-risk scenarios.
- Risk-based access controls: Apply stricter security measures for high-risk actions or sensitive data access.
- Bot protection: Detect and mitigate automated attacks.
- API security: Protect APIs from abuse and unauthorised access.
- Residential proxy detection: Identify and mitigate threats from residential proxy networks.
For web applications, the goal is targeted control rather than blanket friction.
The Role of User Education
User education still has a place in a security strategy. Training and awareness programs can help users understand:
- The importance of strong, unique passwords
- How to identify phishing attempts
- The risks of password reuse across multiple sites
- The importance of keeping software and devices updated
- How to recognise and report suspicious activities
User education works best when it supports technical controls rather than carrying the whole burden.
Addressing Mobile Application Security
Our survey indicates a potential gap in mobile security strategies. As mobile apps take on operations like banking and e-commerce, they become part of the application attack surface.
Only 30% of respondents implement Web Application and API Protection (WAAP), indicating many businesses may not be ready to protect their mobile assets. That gap leaves mobile applications exposed to attacks, including API abuse and data exfiltration.
The Threat of Residential Proxies
Our survey found that only 15% of organisations use residential proxy detection. That low adoption rate leaves a weakness in many businesses' security postures.
Residential proxies can threaten account security by:
- Bypassing traditional IP-based rate limiting
- Evading geolocation-based restrictions
- Facilitating large-scale credential stuffing attacks
- Enabling undetected data scraping
Businesses should consider security providers that can detect and mitigate residential proxy threats.
Learn more about residential proxy detection
Finding the Balance
Balancing account protection and user experience in web applications requires more than a single control. By implementing contextual security measures, organisations can:
- Improve security without unnecessary impact on user experience
- Adapt to threats in real-time
- Reduce the risk of compromised credentials and account takeovers
- Protect against threats like residential proxies and mobile application vulnerabilities
As threats change, account protection needs to change with them. Contextual security gives organisations a practical way to protect users and their reputation.
