Online Authentication Needs Fewer Passwords, Less Friction

Siddharth Vijayakrishnan, senior vice president of product and financial intelligence at FIS Platform and Enterprise Products, said that online authentication is a work in process — but we may never quite be free of the password.

He was quick to differentiate between identification and authentication.

As he told PYMNTS: “Identification is basically saying, ‘I am this person — are you willing to let me in?’”

Identification can be a one-off activity, he said, while authentication should be a “lightweight” endeavor, tied to the act of proving that someone is who they say they are again and again as they move through various digital channels.

The Guiding Principles

Through the past several years, a few guiding lights have not changed when it comes to authentication, he said. Individuals offer up data points — something they are, something they have and something they own.

But no matter the frameworks, the end user simply wants a few things in place.

“They want to get into, and out of, an application as quickly as possible,” Vijayakrishnan said.

For the enterprises and platforms interacting digitally with that customer, the challenges are considerable. They need to introduce friction into the mix, but not so much friction that applications or sites become unusable.

“What you want is a system that is designed to let in good actors as easily as possible, and that presents enough of a barrier to deter bad actors,” he told PYMNTS for the “What’s Next in Payments: Authentication: What’s New and What’s Next?” series.

The defenses and approaches evolved over time, as passwords proved to be insufficient, and two-factor authentication was added. More recently, biometrics have been deployed, Vijayakrishnan said.

Authentication can be federated — where an identity, established through Google or Facebook, can be “carried over” to log into an application. Although there may be philosophical considerations to that approach, Vijayakrishnan said that from a technical vantage point, users might trust companies such as Google and Facebook to enforce security measures more strictly than other firms.

We’re moving beyond the age of one-time passwords, he said, adding that companies such as Apple have been embracing passkeys and biometrically driven “face unlock” features.

There’s no silver bullet or magic wand that will solve all the friction and security concerns surrounding authentication, he told PYMNTS, but a triangulated approach, designed to be done with a mobile device in hand, is critical.

Apple, for example, does not just let users install apps downloaded from its online store, he said. It asks users to verify themselves with a prompt. Similarly, Venmo asks users to verify their phone numbers and re-ascertain that they want to send money to a recipient.

For the providers, he said, “you can either have a rules-based approach, or you can feed everything into a model and come out with a [risk-adjusted] score,” which then can be used to determine whether authentication protocols need to be stepped up.

Passwordless Future?

Asked by PYMNTS whether passwords will ever really disappear, Vijayakrishnan demurred.

“I think we will always have passwords, but I hope we can have fewer passwords,” he said.

Consumers simply do not want to have to remember dozens of passwords, but they might be comfortable with two or three, with the rest managed through passkeys.

Ideally, he said, a consumer should be able to authenticate themselves to a phone and the phone can authenticate itself to the bank, aided by platforms such as FIS, which offer streamlined onboarding, continuous monitoring and compliance.

“That can be a magical experience,” he said of the password-reduced future.