How adding user friction helps prevent fraud

When designing user interactions, we typically think of user friction as something to avoid at all costs. But there are times when some amount of friction is actually a good thing. Making a down payment on your house? That probably shouldn’t be a seamless UX — you’d much rather have a few checks to make sure the money is going to the right place and the amounts are correct. 

User friction protects against abuse, ensures compliance with regulations, and builds confidence that your product is trustworthy and safe. With the right tools, you can introduce friction in ways that are thoughtful and beneficial to the user experience, rather than frustrating and arbitrary. 

When is adding user friction good?

You can deploy friction as a security feature in many places on your site or app, reducing the risk of loss for you and your customers. In addition, friction can reassure the user that their account is secure and reduce the risk of errors. Here are some ways friction can be beneficial. 

Reducing risk when suspicious behavior is detected

Online fraud is a huge and growing problem. According to an FTC report, fraud losses totaled $12.5B in the US in 2024, and another report shows that globally, over $1T was lost to scams in the same period. 

Fraudsters and scammers will try to create accounts using fake information or another person’s identity. They might get the credentials for an existing login by scamming, phishing, or hacking. To counter this, you can look for suspicious activity during registration and throughout the customer's lifetime, and add friction when things don’t look right. For instance, a bank may require extra confirmation to make a large transfer to a foreign account.

Ensuring compliance with local regulations

Your site or service may need to adhere to various standards, whether required by law or industry practice. These include HIPAA consent forms for health information in the United States, and the cookie consent notifications of the EU’s GDPR and ePrivacy Directive.

The U.S. Children’s Online Privacy Protection Act (COPPA) is an instructive example of intentional regulatory friction. Under this law, any site collecting personal information about children under 13 must first seek and collect a parent’s verifiable consent using approved methods such as ID verification or a call to an agent.

Confirming user intent for high-stakes actions

Friction is frustrating when it gets in the way — but it’s often helpful when taking an important step that’s hard to undo. Confirmation dialogs when deleting data, closing accounts, or making significant purchases are all examples of places where friction helps the user experience by preventing costly mistakes. 

Building customer confidence 

A recent report found that since the beginning of 2025, 16 billion passwords have been leaked. Securing data is top of mind for many users today, and some amount of friction in the name of security can actually be reassuring. Nobody likes to do extra work, but savvy users will respect a request for more information when logging in from a new device or a new location. Requiring multi-factor authentication can reassure users that their account details and data are protected by state-of-the-art measures. 

Best practices for balancing friction & convenience

Some amount of user friction can be good, but to avoid a frustrating experience for customers, it’s best to limit friction to just those interactions where it’s truly necessary. Here are a few tips for striking the right balance: 

• Understand the user’s expectations: To the user, any friction they encounter should feel intentional and purposeful, not random. You can achieve this by carefully thinking through the user journey or sequence of steps a user takes to accomplish their goal with your product. At each point, ask yourself if they’re seeking convenience, or if they need extra comfort or confirmation.
• Make the amount of friction proportionate to the action: Compared to low-impact daily tasks, actions that are more consequential or powerful are places to consider implementing more friction. For example, a cloud computing provider may make it possible to log in with a regular account without MFA, but require it for a root account. A bank may let you transfer small amounts easily, but have a daily limit that requires a phone call to increase.
• Rely on existing security tools and paradigms: Many platforms have security features built in that offer a streamlined UX while improving security. If your business has a mobile app, you can offer biometric authentication, for example. OAuth allows customers to use their existing accounts — e.g., from Google or Microsoft — to log into your service with one or two clicks.
• Look for security measures that add no friction: One example is notifying customers via email or SMS when you detect suspicious activity. This allows your customer to contact you if there is a problem and builds confidence that you’re keeping their account secure, but is otherwise minimally intrusive.

In summary, it’s best to tailor your friction to every user and every interaction. Just as you would personalize your UX to give different customers different experiences, you can use device intelligence to trigger friction only when there’s suspicious activity, while genuine customers get a seamless flow.  

Device intelligence for adaptive authentication and user flows

Device intelligence is the process of collecting and analyzing detailed information about a device, like its browser configuration, hardware settings, and network characteristics, to create a unique and persistent device profile. This data not only allows businesses to recognize returning devices, but also helps to understand the intent behind a visitor, detect risky or suspicious activity, and tailor responses accordingly. Unlike traditional identifiers like cookies or IP addresses, device intelligence offers a more resilient and nuanced way to recognize returning devices, even if they try to hide or change their identity.

Here are some ways device intelligence can be used to apply friction dynamically depending on the user and scenario. 

Using device recognition

Device intelligence lets you recognize devices and associate them with users, actions, login attempts, etc. You can then use this data to selectively introduce friction. For example, if you store devices users have used to log in, you could require MFA for their first login from a new device, but make additional factors optional thereafter by offering a remember my device option.

You can also implement proactive monitoring and add friction if you notice risky usage patterns. For example, you may send an SMS warning the first time a new device makes a suspicious card purchase, then block or flag any subsequent attempts by that device. 

Using browser and device signals

The signals from device intelligence can provide evidence of fraudsters trying to hide their identity via anti-fingerprinting settings and browser tampering. Detecting these features could raise flags for further verification, such as requiring multi-factor authentication. 

Fraudsters use bots to scale up their fraud attempts, which makes it crucial to detect bot activity. Device intelligence can classify a visitor as a good bot (e.g., a web crawler), a bad bot (e.g., likely a fraudster or spammer), or a genuine visitor to aid bot detection. You could block bots entirely by redirecting them to a page that mentions suspicious activity has been detected, and terminating any logins if needed. 

Another useful signal is location. Device intelligence can detect location anomalies, such as someone registered in the UK accessing the site from Singapore, more accurately than an IP address alone. You can use this as a cue to add friction if this new location is unexpected, but you can also let your users tell you in advance of travel plans to avoid this inconvenience.

Friction in the right places can help prevent fraud

Many product teams see friction as something to minimize and eliminate. However, it can be helpful to confirm the user’s intent in high-stakes actions and to avoid fraud when suspicious behavior is detected.

With device intelligence, you can implement friction that supports a safe, trustworthy user experience rather than getting in the way. Fingerprint is a device intelligence platform that provides a unique visitor ID with industry-leading accuracy and surfaces over 20 Smart Signals to help determine user intent, such as detecting VPNs, bots, or browser tampering.

To learn more about Fingerprint and see how it can help your site adjust friction to the necessary level, increase security, and prevent fraud, please contact our team.