TL;DR: Fraud teams should use targeted friction rather than blanket step-ups, because 67% of attendees said they are struggling to block fraud without flagging trusted customers, while 93% of consumers say they will accept additional security steps during checkout or login, according to Sift. The key challenge is making friction proportional, risk-based, and timely enough to protect both conversion and trust.
At a glance
What this is: This session argues that fraud controls work best when friction is selective, risk-based, and introduced at the point where it protects both the transaction and the customer experience.
Why it matters: For identity and fraud teams, the lesson is that verification policy must balance assurance, abandonment, and behavioural risk, especially where step-up controls and account protection overlap.
By the numbers:
- 67% of attendees said they are trying to solve both problems at once: too many trusted customers being flagged and too many fraudulent transactions getting through.
- 93% are willing to accept additional security steps during checkout or login.
- 52% of consumers say they would stop using a platform after experiencing fraud.
👉 Read Sift's session on reducing friction without compromising fraud security
Context
Digital trust depends on applying the right control at the right point in the journey. In fraud programmes, friction is not inherently bad, but blanket friction creates the same governance problem as any overbroad identity control: it blocks legitimate users without materially improving assurance.
That matters to teams responsible for identity verification, step-up authentication, and account protection because customer-facing controls influence both risk and conversion. The article’s core point is that fraud decisions are really policy decisions about timing, context, and proportionality, which makes them relevant to identity governance even when the subject is fraud prevention.
Key questions
Q: How should fraud teams implement targeted friction without hurting conversion?
A: Start by classifying journeys by risk and customer intent, then assign the lightest effective control to each path. Use passive monitoring for normal behaviour, step-up authentication for meaningful anomaly, and manual review only where loss exposure justifies it. The goal is precision, not maximal obstruction, because unnecessary friction directly affects abandonment and revenue.
Q: When does friction become a security problem instead of a control?
A: Friction becomes a problem when it is applied without context, repeated after a user has already proven trust, or triggered by static thresholds that attackers can learn. At that point it starts blocking legitimate users while still missing adaptive fraud. Teams should judge controls by both fraud reduction and customer drop-off.
Q: What do security teams get wrong about step-up authentication?
A: They often treat step-up as a single control rather than a policy outcome. Step-up only works when it is tied to risk signals, placed at the right point in the journey, and re-evaluated as user behaviour changes. Otherwise it becomes either noisy for customers or predictable for attackers.
Q: Who is accountable when fraud controls block trusted customers or miss fraud?
A: Accountability should be shared across fraud, IAM, product, and finance because the control affects security, conversion, and customer trust at the same time. Governance breaks when one team owns the rule but another absorbs the business impact. Shared review and clear escalation paths are the only practical answer.
Technical breakdown
Targeted friction vs blanket step-ups
Friction is any additional action a user must complete before finishing a task, such as CVV entry, two-factor authentication, ID upload, or manual review. The technical problem is not the existence of controls, but the policy logic that decides when to invoke them. Blanket step-ups are easy to reason about but easy to game, because attackers learn the threshold and stay just below it while trusted users experience unnecessary drag. Adaptive friction uses behavioural and contextual signals, such as device history, payment familiarity, location, and transaction type, to decide when extra verification changes the risk posture.
Practical implication: build decisioning rules that vary by context instead of applying the same step-up to every user and transaction.
Why timing matters in identity verification
Verification has a customer-experience cost, but that cost changes depending on where the control appears in the journey. A passport request during browse or signup creates more abandonment than the same request at checkout or during a high-risk account change. In identity terms, the control is not just what you ask for, but when you ask for it relative to user intent and the value they have already received. This is why risk-based orchestration matters: controls should follow the point where fraud risk rises, not the point where policy owners can most easily enforce them.
Practical implication: move heavier verification steps later in the journey unless the risk signal justifies earlier intervention.
How step-up signals become governance signals
Step-up authentication and manual review are often treated as operational settings, but they are also governance signals. High review rates, repeated customer complaints, and rising abandonment show that policy thresholds are misaligned with real user behaviour. If the same controls are never re-audited, they drift from protection into friction for its own sake. That creates a governance gap similar to stale access policy in IAM: the control still exists, but it no longer matches the threat or the business process it was meant to protect.
Practical implication: review step-up triggers as policy controls, not just fraud-team tuning parameters.
Threat narrative
Attacker objective: The attacker wants to complete fraud activity while remaining below the control thresholds that would trigger step-up verification or manual review.
- Entry begins when fraudsters exploit predictable friction rules, low thresholds, or weak behavioural checks to move through account or checkout journeys.
- Escalation occurs when attackers stay beneath static limits, reuse trusted devices or payment patterns, and avoid the controls that trigger stronger verification.
- Impact is fraudulent purchase completion, account takeover, chargebacks, or customer abandonment when legitimate users are blocked by overbroad controls.
NHI Mgmt Group analysis
Right-sized friction is a policy design problem, not a UX preference. Fraud teams often frame friction as a customer-experience issue, but the deeper issue is governance. Every extra step is a policy decision about assurance, loss prevention, and user abandonment, and those decisions must be aligned to risk context rather than static thresholds. The strongest programmes treat friction as a dynamic control surface, which means the practitioners’ job is to tune policy to risk, not to maximise or minimise friction indiscriminately.
Identity teams should recognise that customer verification and account protection are converging. The same signals used to decide whether to step up a transaction increasingly sit beside identity proofing, login security, and account change controls. That creates a boundary problem for IAM and fraud teams, because one control can now affect both trust and conversion. Where identity verification, authentication, and transaction policy meet, governance needs shared ownership and clear escalation paths.
Threshold-based controls create a predictable attack surface. Static rules are attractive because they are simple to operate, but fraudsters adapt quickly when they can infer them. This is the same failure mode seen in weak access policy: once a threshold is known, it becomes a target rather than a deterrent. The practical conclusion is that adaptive controls and regular policy review are now core governance requirements, not optional optimisation work.
Friction analytics should be treated as part of fraud governance evidence. Complaints, abandonment, review queue growth, and conversion impact are control outcomes, not just product metrics. When those signals are ignored, teams end up defending a policy that looks safe on paper but performs poorly in practice. For practitioners, that means security decisions must be measured against business and trust outcomes together.
Transaction friction exposes a broader verification trust gap. The underlying challenge is deciding when a customer has proven enough continuity to be trusted and when new behaviour should trigger extra scrutiny. That is a governance question that spans fraud, identity verification, and account lifecycle controls. Practitioners should treat this as an ongoing trust calibration problem rather than a one-time rule-set exercise.
What this signals
Targeted friction programmes should be measured like identity controls, not just like conversion experiments. The key signal is whether step-up rules reduce loss without creating avoidable abandonment or support load. For teams that also manage authentication and verification, this is a reminder that risk-based decisioning needs shared governance across fraud and identity disciplines.
A useful next step is to separate control effectiveness from customer tolerance. The same organisation can improve fraud outcomes and still create a poor trust experience if timing is wrong or thresholds are too rigid. Teams that treat friction as a living policy will be better placed to adapt as attack patterns and customer expectations change.
For practitioners
- Map friction to specific risk states Separate low-risk, medium-risk, and high-risk journeys and assign different controls to each, such as passive monitoring, step-up authentication, or manual review. Avoid using one threshold for every login, payment, and account change.
- Audit threshold drift regularly Review step-up triggers, manual review queues, and abandonment patterns on a fixed cadence so controls do not become outdated or easy to predict. Include fraud, product, customer experience, and finance stakeholders in the review.
- Sequence verification to match user intent Place heavier identity verification after customers have seen value, unless the transaction risk justifies earlier intervention. This reduces unnecessary abandonment while preserving stronger checks for payouts, withdrawals, and account changes.
- Use behavioural context before escalating Incorporate repeat device history, payment method familiarity, shipping details, and location consistency into decisioning so trusted users are not repeatedly challenged for normal behaviour.
Key takeaways
- Fraud friction works best when it is targeted to risk, because blanket controls block trusted customers without eliminating adaptive fraud.
- The evidence in the session shows a clear tolerance for security steps, but only when they are timely and proportionate to the journey.
- Practitioners should treat step-up triggers, manual review, and abandonment as governance signals that require regular review.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST CSF 2.0 and NIST SP 800-53 Rev 5 set the technical controls, while GDPR define the regulatory obligations.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-7 | Adaptive friction supports context-aware access decisions in customer journeys. |
| NIST SP 800-53 Rev 5 | IA-2 | Step-up checks are part of identity and authentication assurance. |
| GDPR | Art.32 | Identity verification and fraud controls can involve personal data processing and security safeguards. |
Tune verification rules so access decisions reflect risk context and user behaviour, not static thresholds.
Key terms
- Friction: Friction is any extra step a customer must complete before finishing a task, such as a login challenge, identity check, or manual review. In fraud programmes, it is a control design choice that can either improve assurance or create avoidable abandonment if it is applied too broadly or too early.
- Step-up Authentication: Step-up authentication is a stronger verification step triggered only when risk increases, such as an unusual login or a sensitive account change. It is meant to raise assurance without forcing every user through the same burden, which makes policy design and trigger quality critical.
- Digital Trust: Digital trust is the confidence that a customer, transaction, or account interaction is both legitimate and appropriately protected. It depends on the balance between security, usability, and clear signalling, and it is weakened when controls feel random, excessive, or disconnected from the user journey.
What's in the full article
Sift's full session covers the operational detail this post intentionally leaves for the source:
- The live discussion of how to decide when friction belongs at signup, login, checkout, or account change.
- The practical examples of step-up authentication, manual review, and identity verification used to balance fraud loss and conversion.
- The audience poll results and commentary on where teams are struggling most with trusted-user flags versus fraud leakage.
- The customer-experience framing that helps teams explain why a control exists without overloading users.
Deepen your knowledge
The NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, machine identity security, and secrets management. It gives practitioners a structured way to connect identity controls to operational risk across modern security programmes.
Published by the NHIMG editorial team on 2026-06-08.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org