Telerik blogs
Considering how frequently fintech is targeted by hackers, it’s no surprise that consumers feel wary about using them. But if your client has ensured security on their end, you can design the app to show users how secure it really is. Here are nine security features you should be using.

Fintech adoption may be growing faster than expected thanks to the events of 2020 … But just because there’s a growing demand for mobile finance technologies, that doesn’t mean fintech users have tossed aside their security and privacy concerns.

Those worries are still there—and with good reason.

In 2020 alone, Finastra was hit with a devastating ransomware attack, 2,000 Robinhood accounts were attacked and Dave’s data breach impacted 7.5 million users.

Data misuse is also a valid concern. 90 consumers filed a complaint against Klarna for using their data when they’d never given them permission to do so.

Now, even if your client is running a tight ship when it comes to app security, claiming that the app is secure on the website’s landing page or app store listing might not do much to instill trust in users.

Consumers might not be able to inspect your code or systems or even know what to look for. However, they do know what it looks like on the frontend when they’re interacting with a well-secured app. And this is why fintech apps need to be designed with security features.

Today’s we’re going to look at nine of these features and some good examples of their implementation:

1. Use HTTPS on Your Website

Many fintech apps are promoted outside of the app stores. If yours has a website of its own, then use this opportunity to make a strong impression in terms of security with an SSL certificate.

Here’s how it looks in the browser tab when you visit the Kabbage website:

The Kabbage website has an SSL certificate installed, so that it runs over HTTPS.

The lock symbol and HTTPS before the domain name tell us this website is secure. Visitors can even open up the domain details and check out the SSL certificate information.

Now, if visitors don’t know or don’t bother to look at the URL, that’s okay. The SSL certificate gives your website an edge up on competitors that don’t use one. That’s because security—specifically HTTPS—is one of Google’s ranking signals.

So, it’s worth it either way.

2. Add a GDPR Notice

This is something you should include in any websites or apps that collect information from users, no matter how minor it may seem. So, if the website generates leads or allows users to sign up, it should appear there.

It can also go inside your app. Here’s what it looks like in the Xoom app (as well as all other PayPal apps):

Xoom displays a sticky notice at the bottom of its app. It informs users about how it uses cookies to improve the experience and allows users to accept the terms by clicking ‘Yes, Accept Cookies’.

If your app uses cookies to store user data, to personalize their experience or to restore their session in the future, then you need to get their consent to do so.

In the case of Xoom, it briefly explains how cookies enhance the in-app experience. Users can either accept the cookies or they can click “Learn more and manage your cookies” to update their tracking settings.

Offering cookie customization options is a good idea if you want to instill greater trust in your users.

3. Address Security and Privacy During Onboarding

One of the problems with many fintech apps is that they don’t address security or privacy until users have already signed up. Even then, the information is usually stored in some secondary menu.

Rather than wait until after signup, start addressing the matter of security during the onboarding process.

Zelle handles this nicely:

The first step of Zelle’s onboarding process asks users to enter their mobile number. Links to Terms of Use and Privacy Policy are located at the bottom.

For anyone wondering why their phone number is needed and how to get out of SMS communications, Zelle provides a brief explainer under the Mobile Number field.

It also includes links to its Privacy Policy and Terms of Use at the bottom of the page in case users want to learn more.

Even if users skip over those links, Zelle doesn’t let that important security information go unnoticed. This is the next screen users see:

Zelle’s onboarding process includes a screen dedicated to Privacy & Security, answering questions ‘How will Zelle use my data?’ and ‘How can I keep my money safe?’ Users are required to consent to the policies before continuing.

Zelle addresses the matter of security and privacy in a concise and easy-to-read manner. It also provides helpful links along the way in case users still aren’t convinced.

Before they enter the app, users are required to consent to the security policies, which I think is a smart move. It forces users to think about something that could otherwise be easily dismissed or ignored … That is, until something happens to their data that they don’t like.

4. Encourage Stronger Passwords

While you can’t force your users to create a unique password for your app, you can ensure that the one they pick is difficult to crack.

What I like about how Truebill handles this is that its password strength indicator uses color:

During the signup process for Truebill, users are asked to create a password. As they enter characters into the by-default hidden field, the password strength indicator goes from red to yellow to green.

We know that people have an emotional connection to color. So, when they start to fill out the hidden password field with their characters, they’ll watch the indicator bar go from red (weak) to yellow (okay) to green (strong).

It’s a good way to encourage them to add more characters and to mix them up with numbers, capital letters and symbols.

5. Include 2FA / MFA

Strong passwords aren’t totally immune to being hacked, even if they’re unique to your app.

To give your users a security boost, allow them to enable two-factor authentication (2FA) or multi-factor authentication (MFA) during signup as well as from their settings.

There are a variety of options you can give them:

Xoom has two. The first is a six-character code sent to the user’s mobile device:

This is the Xoom two-factor authentication verification screen. After a user logs in, they must request a six-character code, retrieve it from their mobile messages and input it in the field.

They retrieve the code from their messages and then have 10 minutes to input it into the field.

The other 2FA option is a biometric login:

Xoom users can replace the traditional login process by turning on biometric login from their settings.

This option takes the user’s biometric login from their phone—like a thumbprint or face ID—and replaces the traditional Xoom login process with it.

Another MFA option is the passcode. Mint offers this one to its users:

Mint allows users to set a passcode to fortify access to the app and their data.

Users still have to log in as usual. However, before they’re granted access inside the app, they must provide a four- or six-digit code that they came up with themselves.

6. Enable Privacy Control

Every mobile app should have a dedicated section to security matters. That’s a given. However, if there’s a way to let your users control some of the more flexible security and privacy settings, that would certainly help bolster their trust.

Mint, for example, includes this setting under Privacy & Security:

Mint allows users to decide if they want to see personalized third-party ads in the app based on their data.

It’s not uncommon for mobile apps to make money by running third-party ads. However, what’s uncommon is for mobile apps to give users the ability to decide if they want to share their data so these ads may be personalized to them.

7. Notify Users About Third-party Security

Like other types of professional or productivity software, fintech apps sometimes need to connect to other platforms in order to be of value to users.

Take, for instance, Truebill:

Truebill uses Plaid to encrypt the connection between its app and its users’ financial institutions.

This money-management app allows its users to connect to their financial institutions, credit card companies and other relevant services. Without this integration, users would have to manually record their financial records.

Not only does Truebill provide assurances about the safety and privacy of this data transfer, but it name-drops Plaid. This way, users can look into the company that actually handles the connection.

Anytime you can offer this level of transparency, take it. Your users will be thankful you did.

8. Include Trust Seals in Key Areas of the App

Including Plaid’s logo is a type of trust mark or seal. But there are others you might be able to include in your app.

ItsDeductible—like other Intuit apps—includes a TRUSTe trust mark in the Settings area of the app:

ItsDeductible includes a section under Settings dedicated to its TRUSTe privacy certification.

Users can click through to learn more about the privacy certification and how it helps keep their data safe.

That’s, of course, something to keep in mind. A lot of times what we see on websites, for instance, are trust marks for products like McAfee, Norton and BBB. But they’re just logos. If you can elaborate on what exactly the trust seal stands for, it’ll have a greater impact on your users’ trust and confidence.

9. Send Trustworthy Notifications

Last but not least, configure your app to send security-related push notifications and emails. Better yet, allow your users to decide which kinds of security matters they want to hear about and where they want them delivered to.

When setting up the messaging for them, make sure it’s clear where it’s coming from and what they need to do with the message.

For instance, do they need to verify that they logged in? This PayPal email simply lets me know that an unrecognized device logged into my account:

PayPal new login email alerts users to logins associated with unrecognized devices. It provides the device, browser and version along with the date of login to help verify the activity.

There’s no action I need to take so long as the details provided check out with my own activity. If not, PayPal helps me take next steps.

How about sending along security codes? While I was testing out apps for this article, I received a whole slew of them:

Security push notifications from Discover Bank, Bank of America, Wealthfront, PayPal and Stripe.

You can see the variation in push notifications I received from different apps:

  • The first one came in with no identification. While I knew which app it belonged to at the time, I have no idea now that I look back at this.
  • Discover Bank sent me a six-character code to confirm it was me trying to get in.
  • Bank of America did as well. It also provided some useful tips on what to do with the code and when to trust it.
  • Wealthfront texted me to confirm that I enabled 2FA during onboarding.
  • PayPal sent me a six-character security code and gave me 10 minutes to use it.
  • Stripe sent me a security code as well and reminded me not to share it.

There are clearly different ways to handle 2FA notifications. But I think that including the code along with helpful reminders will put your users at ease when using it.


From the very second your users open your app, their data’s security and privacy should never cross their mind. Except maybe to think about how much safer they feel logging in with MFA than the one they used previously that didn’t have it.

It’s the company’s job to create a secure application for their users. However, you’re going to play an important role in this as well. If your design and its features can convey to users that their data is safe, they’ll feel more confident and positive about their experience within the app.

About the Author

Suzanne Scacca

A former project manager and web design agency manager, Suzanne Scacca now writes about the changing landscape of design, development and software.

Related Posts


Comments are disabled in preview mode.