Rumors of the death of the password, to paraphrase Mark Twain, are not all that greatly exaggerated.
But, boy, is the password hanging on — and certainly not going gently into that good night.
Chalk it up to a matter of time, Philipp Pointner, chief product officer of Jumio, told Karen Webster in a PYMNTS interview, detailing what needs to happen before the password finally gives up its last gasp — and perhaps sooner rather than later.
“The password is on life support,” Pointner said. “It’s ready to go, but it is being kept artificially alive.”
Why the lingering? That’s due, he said, to the fact that there are all kinds of tech-enabled tools that create the illusion that using passwords is just fine, that passwords really are the gateway to commerce and online activity, and that any number of offerings help users corral, monitor and organize their passwords in order to keep them safe.
He pointed to password managers and services that alert consumers to the fact that passwords may have been exposed in data breaches (and so must be discarded).
It all just delays the inevitable passing of the password, said Pointner.
In some ways passwords unintentionally keep friction alive in the eCommerce world, as the archaic is deemed relevant. As Webster noted, password managers are akin to taking photos of checks for deposits, which gives the illusion that checks are easier. But then again, it’s still a check at the heart of the process, which still remains a less than efficient way to pay someone or get paid.
Lipstick on a pig? Pig still there. Password in a password manager/store? Password still there.
And yet the password is ubiquitous, universally accepted by consumers even as the clock ticks. It is the universal acceptance from consumers that keeps businesses from abandoning passwords. As Pointner said, at least today, firms are not going to lose customers because they offer passwords as an authentication method — but they might lose them if they do not offer the use of passwords.
Getting Ready to Pull the Plug
Nothing lasts forever, of course.
“The pain is going to increase, all by itself, over time,” said Pointner of the friction and inefficiencies inherent in passwords. “We’ll see more account takeovers, we will see more theft and certainly more identity theft. It all will reach a level where this will not be manageable without upgrading security and dis-integration processes.”
Against that backdrop, the conversations are increasingly turning to biometrics, across any number of identifying factors, to replace the password. There are fingerprint-based offerings, those tied to facial recognition, and in one example, Amazon is reportedly testing “pay by hand” at a number of Whole Foods marketplaces.
Amid the different current biometric iterations used for identifier verification, Pointner said, the strongest candidates are those based on face or fingerprint. As he told Webster, a bit tongue-in-cheek, the face may have a bit of an edge here.
“You don’t change your face, and if you think about it, the face is the way we identify and build trust with each other,” he said. “I’ve never met someone on the street and then checked their fingers to see if I know them.Voice, though a strong biometric, can be a little harder to isolate due, in some cases, to ambient noise.
Thus, over the near term, then, face-based ID serves as lowest-common denominator and low-hanging fruit to get to the next stage of digital identity’s evolution — to both enroll and get the authentication process in place.
Evolution and Adoption
Adoption, said Pointner, is going to take place in a wave, one that gathers momentum as soon as Big Tech firms lead the way.
And it won’t take long, he said — maybe three to five years.
Businesses, he said, want to move away from passwords, as they’ve viewed the damage that reliance on passwords have wreaked on their own operations and customer relationships. In one example of that groundswell, he said, Microsoft has debuted Windows Hello for Business in Windows 10 and the Microsoft Authenticator app. Apple’s new iPhone may bring back touch ID, a concept that not only unlocks the phone but apps as well.
Tech firms and financial institutions, he said, will have to recognize that password-free environments may necessitate different (or even combined) methods. A user may sign onto banking apps in ways different than signing onto email or websites.
Pointner cautioned that whatever replaces the password must be recoverable. Nowadays, he said, it’s relatively easy to recover and replace passwords, and yet that’s not the case with biometrics in the case devices are lost, stolen or destroyed.
One way to deal with that is to store the biometric data on the cloud and on servers, rather than on the device itself, so it can automatically be backed up, and where technical malfunctions need not hinder consumer/business interactions.
“The data that is stored should be obfuscated in a way where you can never present it back to the system so that the system would say, ‘Oh it’s you again. Hey, I’ll let you into this account.’ That’s a critical step in terms of security,” he said, thus preventing what are known as playback attacks.
With Big Tech firms leading the charge, mandating that users not use their passwords anymore across their operating systems, get ready for a tipping point, said Pointner.
“What needs to happen is someone needs to make the first bold move and really abandon passwords for good,” he said.