Why Is It So Hard to Get Rid of Passwords?

A multifaceted approach to digital identity can shore up eCommerce defenses against risk and fraudsters.

And that multifaceted approach, Prove Chief Security Officer and Chief Information Officer Amanda Fennell told PYMNTS, depends on input and insight — and collaboration — between the private sector and academia.

Fennell, who came to her present role at Prove in January, has also spent years as an adjunct professor at Tulane, and she said the classroom remains an essential component of the cybersecurity ecosystem, where research is non-stop and where frameworks are developed — and the next generation of cyberwarriors is minted.

But as she noted, even the best-informed and educated academics may have a bit of challenge in place when it comes to theory being translated into real-world practice.

As she told PYMNTS, “there can be a bit of a struggle with the transition. You can have all of the knowledge but not know how to use it.”

And it’s more critical than ever to teach risk professionals — neophytes and seasoned executives alike — that although there’s no one-size-fits-all approach to cybersecurity, a holistic approach to authentication is essential.

“Authentication is based on the factors of ‘something you have, something you are and something you know’… but these three things are all breakable in some way,” she told PYMNTS.

Simply put, the bad actors are also able to get a hold of those data points, to leverage one or the other to bypass firms’ security efforts with stolen passwords or spoofing. One-time passcodes and multifactor authentication (MFA) can be cumbersome and vulnerable to social engineering. Consumers may yearn for a passwordless future, she said, but legacy, friction-filled processes won’t get us there.

The fraudsters are getting more sophisticated in their attack vectors — and bolder, Fennell said. Ransomware remains a thorny problem. Criminals are using advanced technologies to conduct waves of attacks — phishing attacks and account takeovers, especially — at scale.

More Than Just Security

To thwart the fraudsters, she said, the phone can bring together all three of those aforementioned attributes, and to leverage data that improves and streamlines commerce itself.

“Approaching identity in a new way, with real-time identity management, and improving digital onboarding … is where the forward-thinking people in security are already focusing,” she said.

By way of example, she said, device-level and behavioral analytics can unlock faster onboarding onto merchant, financial institution and FinTech platforms, eliminating card abandonment and frustration that comes with having to fill out endless data fields or hurdle various stepped-up authentication prompts.

“The effect is far-reaching beyond simply identifying a person,” she told PYMNTS, and can spur revenue growth. The consumer who, conceivably, travels to Costa Rica and buys a cup of coffee, digitally, can do so seamlessly because their identity is bound to their device, and there’s a high degree of confidence that they are who they say they are.

Asked by PYMNTS what should be top of mind for CISOs in an environment where tech budgets may be constrained, she said it’s important that executives understand their true risk levels — defined as probability times impact.

“You don’t need to build out a team of 50 incident responders across the entire world,” she said, adding that it’s more cost-effective to deploy the resources state-of-the-art managed security services provide (Prove Identity among them).

“Every company in the world has a responsibility to consumers, to themselves, to their employees,” she told PYMNTS. “We’re at a catalyst — a moment of moving into a direction of needing to authenticate in this different way. And I want to be right here when it happens.”