It’s no surprise that most people are frustrated by having to juggle passwords to access their ever-growing list of digital accounts. Once upon a time, it made sense to gate-keep access to digital services with usernames and passwords. However, now that the average user has around 150 online accounts (with this set to increase to 300 by 2022), it’s no wonder people are struggling to remember all their passwords.
To simplify things, some people reuse the same password for multiple accounts or choose simple, easy-to-guess passwords, while others outsource the task of monitoring their passwords to password management services. These habits can lead to users suffering major data breaches, but even when they do lose valuable data and money through breaches, most users still do not update their passwords. It’s clear that there is drastic need for change when it comes to managing passwords. Fortunately, the future has finally arrived, and it looks like it may be passwordless.
Understanding passwords: Different forms of authentication
In order to understand the future of passwords, it’s important to first understand what passwords are. Primarily, a password is ‘something you know’ – a secret combination of letters, digits or symbols that allows a user access to an account. More technically, it can be described as a static knowledge-based authentication credential.
There are two other types of authentication credentials: possession and inherence. Possession is ‘something you have’; for example, a token or digital device that can receive a one-time password, or an ‘approve’ button delivered via push notification in a mobile app. Inherence is ‘something you are’ – a unique biological trait like a fingerprint or facial ID.
All authentication works on the simple premise that a user will be granted access to an account once they have proved their identity by providing a username and verifying it with at least one form of authentication. So, if we want the future to be passwordless, which IT professionals are appealing for, we will need to switch to other forms of authentication.
How to become passwordless: Biometrics and possession authentication
Fortunately, we already have the means to leave the old days of passwords behind us, many of which are already commonplace. For example, most people now use biometrics, such as fingerprint technology or facial recognition, to access their devices rather than a PIN. Companies such as Apple, Android and Samsung all offer these options on their mobile devices, and even financial institutions have begun to adapt accordingly.
Biometric authentication goes a long way towards improving security and user-experience. However, it’s possible to further enhance this level of security by combining multiple forms of authentication, one of which should ideally be communicated through an out-of-band channel. In this way, users can prove that they have more than one of the devices or channels linked to their identity, so that if one authentication channel is compromised by a malicious party, there is another form of authentication that can still provide a barrier to prevent bad actors gaining access.
How a combination of biometrics and possession authentication can improve security
Using a combination of authentication methods is called two-factor authentication (2FA) or multifactor authentication (MFA). Multifactor authentication is the best way to secure an account – it makes an account 99.9 percent less likely to be compromised, according to Alex Weinert, Director of Identity Security at Microsoft. That said, over half of the 3,500 users in a Google survey did not know what 2FA and MFA were, while another report found that only 10 percent of Google accounts use 2FA. Therefore, to ensure a passwordless future, we need to educate people how to use these methods of authentication. In the meantime, however, there are other forces at play that may in fact speed-up adoption.
With biometric capabilities now available on most smartphones, we are starting to see this authentication option being applied in use cases other than accessing the phone itself: according to Deloitte’s UK-focused Mobile Consumer Survey 2019, nearly half of respondents with a smartphone now use fingerprint recognition, and of smartphone owners who use biometric readers, 48 percent have used this method of authentication to authorize payments (up from 35 percent in 2017) and 32 percent have used them to authorize money transfers to other people or organizations (up from 20 percent in 2017).
This behavior combined with industry leaders starting to align themselves to an international standard called FIDO (Fast ID Online) will have a major impact on security and authentication across industries. The objective of the FIDO international standard is to make passwords obsolete by replacing them with possession and biometric factors. The standard also uses encryption technology to ensure that users’ credentials cannot be accessed or stolen.
What this means in practice is that the barriers to implementing secure authentication through biometric or hardware devices are lessening significantly. Leading web browsers, smartphone platforms, software providers, and hardware providers are already releasing FIDO-certified hardware as well as certifying their platforms for FIDO authentication. Several tech giants – Google, Microsoft, and Apple – already support this standard. Because FIDO simplifies the risk and process of using biometrics or hardware for authentication, more online services and hardware (smartphones, laptops, desktops, etc.) will adopt this method of authentication. As a result, a higher percentage of the population will utilize and trust biometrics for all services that require authentication as it significantly eases the authentication process and increases security.
Biometrics, PIN keys, and second-factor devices are all FIDO-secure methods of authentication that have demonstrated decreased checkout abandonment and fraud incidence rates; however, authentication by biometric results in the least friction for consumers in the authentication process. Additionally, for payment institutions requiring extreme certainty and verification of user devices, the registration protocol outlined by FIDO includes an attestation procedure, which further minimizes fraud.
With a plethora of ratifying data pointing to a continuing upward trend in biometric usage, combined with the industry-wide use of FIDO, this could be the solution that will finally free us from the burden of endless passwords, opening the doors to a brighter, passwordless future.
Simon Armstrong, VP of products, Entersekt