Thus far into 2023, “passwordless” remains among the buzziest of buzzwords in identity authentication.
Nicole Jass, chief product officer at Prove Identity, told PYMNTS that despite the burgeoning popularity of biometrics and other advanced authentication methods, passwords are still overwhelmingly — perhaps even surprisingly — prevalent.
That’s evident in the fact that roughly 80% of data breaches are caused by password thefts.
Those of use who have embraced logging in with our faces are not fully protected, she said.
The biometric option is simply a substitute for a password and not yet a wholesale replacement. But if a fraudster gets hold of the password itself, then they can still log into an unsuspecting victim’s account.
We won’t be truly passwordless, she said, until there are actually … no passwords.
“It’s going to take a while,” Jass said.
And until then, she said, consumers, and corporates, will remain vulnerable.
The Holy Grail, she said, is the experience where a consumer goes to log into an account online, is prompted to create a passwordless account, using, say, their face — and never sets up a password.
That seamless interaction, she said, is one that consumers want, where the first click does the trick. There’s no longer the juggling of various tradeoffs — using the weak password or the strong password, or whether to make up something new (that’s more than likely to be forgotten at some point).
“You won’t need to think about passwords,” she sad, adding that “you just log in.” In addition, the device that’s so commonplace in everyone’s hand — the mobile phone — is the additional line of defense that helps companies make sure that consumers are properly identified and verified.
There’s some friction in the mix, on the consumer and the business sides of the equation. Consumers may want passwordless commerce, but they’re not wholly comfortable with it — because they’re concerned that backups are not in place should things go awry. For the merchants, there’s the ever-present challenge of implementing new technologies and getting comfortable with them.
“For the consumers, especially,” Jass said, “one of the areas we’re focusing on is account recovery.” People may be sure that their faces will work as a passport into the digital world, but they’ll want to know there’s a fallback in place (even using passwords!) at least for now.
“You have to be able to recover the account,” she told PYMNTS, and here the phone, and one-time passcodes, remain key component in getting consumers more fully on board with passwordless functionalities.
The incremental approach, she said, can be likened to the journey we all took as listening to music made the leap from cassette tapes to CDs to streaming platforms.
“We still had CDs for a long time before everybody got rid of their CDs,” she remarked.
But in using the platform model to establish a phone-centric identity, Jass said, “There’s the magic of the experience of being able to sign up for an account,” and have identity “bound” to the phone and its “reputation.” With the device in hand, that factor combined with other data points analyzed in real time improves online customer experiences by making them easier and safer.
Asked by PYMNTS which verticals are most readily adopting and adapting to biometrics and the eventuality of the passwordless future, Jass said “a lot of times you can follow the money — and that’s where the stakes are the highest for getting it right, where security really counts behind the scenes.” She pointed to financial services and gaming as verticals especially ripe to make the leap to more advanced authentication methods.
Along the way, she said, as the password finally recedes, with one-time codes and fallbacks in the mix, for now, “We’ll have to support the full journey as we migrate everyone into the new future.”