Panel: Passwordless Banking, Payments Must Overcome Consumer Headwinds

Ten years is a long time in tech — to dream up new ways of doing things, design them, deploy them and see the masses embrace them.

But some technologies take a longer time to find their footing. Consider Fast ID Online (FIDO). The FIDO authentication protocol debuted back in 2012 and promised us a future where we wouldn’t have to use passwords. Nearly a decade in, it seems to be proving that gaining widespread adoption isn’t as easy as that old adage — build it and they will come — might imply.

Indeed, there may be no easy way for FIDO to make the leap from simple logins to payments, said Entersekt Chief Strategy Officer Dewald Nolte, FIS Head of Authentication Lee Goddard and People’s United Bank Vice President of Fraud and Financial Crimes Karen Boyer. But we’re getting closer to the passwordless future the protocol promises, they told PYMNTS’ Karen Webster in the latest On the Agenda discussion, and the next two years could see a clearer roadmap emerge.

Banking’s State of FIDO Affairs

In Boyer’s estimation, the lack of uptake boils down to a question of supply and demand. The supply — on the part of the banks — is uneven. The demand, from consumers and merchants, has yet to spark, much less ignite.

Smaller banks, said Boyer, don’t necessarily have the technology or the staffing “hands on deck” to be on the forefront of implementing this technology in general — and must rely on third-party providers or core processors to embrace FIDO before being able to offer replacements for password-laden activities.

At a high level, FIDO was designed to solve password logins, to “kill the password” — in other words, streamline the login. As a result, the spec was not designed for payments. Yet, FIDO authentication is forecast to surpass $565 million by 2031. They said right now, some stakeholders are facing a “trough of disillusionment” clouding the current state of affairs around FIDO.

In the meantime, the password is starting to seem more and more like an anachronism in a world of more robust authentication technologies. Even in a world where more than 80% of data breaches involve passwords that have been compromised, 64% of consumers continue to use passwords to access everything from investment to social media accounts — and to make payments.

Consumer Demand is Lacking

There’s at least some awareness that there’s something better out there. More than 60% of consumers have said they would open to using technology that can eliminate the password once and for all. But the panelists noted that old habits die hard — and the lack of demand from consumers means that the enterprises serving them aren’t rushing to roll out FIDO-compliant features.

Choosing the login name and the password, after all, gives the consumer at least some impression of control. Ceding some of that authentication to someone else, or another entity, is a bit daunting, particularly for older demographics. Not all consumers are alike, and panelists noted that there may be hesitancy on the part of significant swaths of the population to take selfies to help serve as a gateway into commerce and digital ecosystems.

Contended Boyer: “If I’m in an authentication ‘flow,’ but then [all of a sudden] I’m being asked for my selfies, the first rection is ‘Hmm, wait a second.’”

Selfies, broadly speaking, require a bit more work than simply offering up one’s thumbprint, and they feel a bit more personal, as a consumer must serve up a face with the data.

Uneven Merchant Uptake

FIS’ Goddard noted that, in anticipation of consumer demand, some merchants are embracing FIDO. But thus far, that embrace has largely been confined to larger technology enterprises that see FIDO as a connection to payments. International or Europe-focused enterprises are keen to bring FIDO on board to support multifactor authentication (MFA) that complies with European regulation.

And yet, as Goddard stated of FIDO, “it’s not yet a ‘fully banked’ solution that you can put in front of a merchant that may not have a highly sophisticated technology group that can easily take this up.”

Entersekt’s Nolte said the friction points all prove that there can be a wide gulf between what technology can do and what the market is willing to adopt. The technology alone is not going to change consumer behavior.

But FIDO has some key advantages in place in the eventual evolution toward critical mass. For one thing, the protocol represents at least some form of global authentication standard that promotes a universal, consistent consumer experience.

“There’s a standard of security that can eliminate at least some confusion that fraudsters use to their advantage,” said Nolte.

And operating systems such as Android and iOS are signing on to the protocol, while the World Wide Web Consortium (W3C) is working to support merchants in the bid to deliver better and more secure payment experiences.

“By hitting all of the platforms, you have the tools [to secure web-based payments] at scale … with a consistent experience at checkout,” said Nolte.

We’ll see even further adoption as merchants realize they need not store sensitive data on their consumers and also when the payments networks agree on standards for delegated authentication, which will enable merchants to accept all cards. Nolte likened those issues to “teething problems.”

But the domino effect, said panelists, will begin as merchants and consumers realize that FIDO makes the user experience better while improving security at the same time. In the case of Entersekt, this meant getting a large German client (a bank, in fact) to embrace FIDO fully.

“We are calling for a couple more of these brave clients to really help us move this forward because the juice is worth the squeeze in this case,” Nolte said.

He said a handful of merchants or banks willing to invest time and adoption to figure out how to get consumers on board can move the needle significantly. They’ll be aided by the fact that using biometrics to log in is becoming more familiar to many consumers, no matter if they are on a mobile device or laptop.

No Need for Government Mandate

Boyer was quick to assert that a uniform, standardized approach to authentication can evolve through the private markets and need not necessarily involve a top-down government mandate.

“If banks and companies and merchants all take the stand of advertising FIDO as ‘our new level of digital security,’” then the shift to FIDO would make significant strides. In another approach, the same stakeholders can simply choose to introduce FIDO as the lone protocol on offer, in much the way the EMV shift came from card issuers years ago.

Looking ahead, there’s another domino effect in the mix, one that rips off the proverbial Band-Aid: Fraudsters will seek the lowest common denominator. Past is prologue, said Nolte, who recounted observing that as one bank adopted SMS OTP (one-time passwords) and made their attack vectors smaller, fraudsters would roll over to others that had yet to adopt that stepped-up MFA.

“If you put a high wall around your house, the criminals go to your neighbors,” he said.

The neighboring bank that feels the heat will sign on to the new defenses, he predicted, and will roll it out to users of that financial institution (FI).

Panelists predicted we’ll see widespread FIDO adoption by 2023, climbing well out of the “trough of disillusion” that currently exists, especially with new specs on the horizon. Boyer predicted that FIs and FinTechs may embrace FIDO, expanding use cases while still offering other forms of authentication.

Said Boyer: FIDO “needs to be brought out into the C-suites of FinTechs, as well as banks, to understand that you don’t want be the last one to do this.”