Balancing security concerns with the need to provide an easy-to-use shopping experience can be challenging for any online retailer.

The presence of too many roadblocks for customers during registration, login or checkout, for example, means a customer may turn away. Too few security measures, on the other hand, could leave a retailer and the customer exposed to malicious attacks.

A new benchmark study conducted by Forrester Researcch Inc. finds that many online retailers are better at giving consumers a convenient shopping experience than they are at providing strong security measures. And many of the top online retailers have very different ways of balancing the two.

The study scored Amazon.com Inc., Wal-Mart Stores Inc., Staples Inc., Home Depot Inc. and Macy’s Inc. on their relative security strength, meaning how hard the site makes it for hackers to gain unauthorized access, and its ease, or how easy it is for the customer to register, log in, reset passwords and make purchases. The below image shows the results.

Amazon scored above average on security strength, and about average on ease. On the plus side, it was the only retailer of the five to offer two-factor authentication. With such authentication, a password is required for a customer to change her email address, for example, and if a customer switches a phone number, Amazon sends a text and verification code to the new number provided.

On the down side, Amazon does not lock users out of their accounts after multiple failed login attempts.

Macy’s and Home Depot tied for first in Forrester’s study for security ease. Macy’s, for one, notifies a customer via text message or email of any changes to her account, like a new phone number or email address. On the down side, in Forrester’s view, Macy’s allows users to reuse old passwords.

Home Depot earned high marks for a strict password lockout policy—the company locks users out after the sixth failed attempt—but it has no requirements for password composition beyond an eight-character minimum.

Walmart earned an average score for ease of use—it doesn’t allow shoppers to reuse old password and its locks users out after 10 failed attempts. But it does not authenticate changes to a user’s account, meaning the retailer does not send confirmation emails to customers’ new email addresses after they have been updated.

Staples scored highest on security strength, largely due to requirements on password complexity and its practice of sending text alerts to users who change their phone number. Its security ease score was the lowest, however, as it does not send an email when a customer registers on its site, nor does it require any authentication if a customer wishes to change her email.

Forrester suggests the following best practices for retailers looking for a good balance on security and ease of use:

1. Monitor customer behavior and respond accordingly. If a retailer tracks that a user is logging in from a different IP address or device than is the norm, it should require additional steps for authentication.
2. Confirm profile changes with customers. When customers change their email address or phone number, retailers should communicate with them via email or text to confirm the change. This will help customers know that the retailer aims to protect them.
3. Strengthen passwords. Don’t allow customers to reuse old passwords and require more complexity from customers, including the use of uppercase and lowercase letters, numbers or symbols.

Amazon is No. 1 in the Internet Retailer Top 1000. Wal-Mart is No. 3, Staples is No. 5, Macy’s is No. 6 and Home Depot is No. 7.