In the early days of the internet, passwords were relatively friction-free for one reason: there weren’t a lot of places on the internet to use them, so remembering a slew of them wasn’t hard — because it wasn’t necessary. But as time passed and the internet exploded, consumers were faced with remembering many more of them, which today and for the average consumer is roughly 90.
That, Mastercard’s President of Global Enterprise Risk and Security, Ajay Bhalla, told PYMNTS in an interview, is unrealistic — no one can remember that many different passwords. And it’s unacceptable, since, as of now, consumers don’t have a choice.
“If you look at financial services today, by and large the way consumers gain access to their online accounts is by authenticating with a password.”
Passwords, he noted, that come with a built-in problem. Research conducted jointly by Mastercard and Oxford University reported that 51 percent of consumers repeat passwords across multiple sites; 25 percent of consumers reset one password per day; 21 percent of consumers forget their password after two weeks and a full 33 percent of abandoned carts at checkout occur because consumers have forgotten their passwords.
Further, Bhalla noted — even when used correctly by consumers, passwords are still a security risk for digital banking.
“If consumers can remember them, the way people set up their passwords is very simple — pets names, favorite football teams. The most commonly used password is actually the word “password,” and you don’t really need to be a brilliant mind to crack that,” Bhalla said, explaining that even if a consumer tried to make a password incredibly complicated, about 80 percent of those can be auto-cracked with software within a few days. Password managers aren’t a solution either, he said, since four out of five web-based password managers are vulnerable to attacks.
With that as a backdrop, Bhalla said that it was not at all a surprise that, when asked, consumers expressed an overwhelming desire to be free of passwords. A new study released today by Mastercard/Oxford University shows that 93 percent of consumers would prefer to use biometrics instead of passwords — and 92 percent of banks would to.
Bhalla described this as nothing short of a clear message — from two key stakeholders — that it’s time for a change.
“Financial services should be second to none when it comes to providing the proper payments experience — consumers should be able to buy whatever they want from shoes to cars — and our work with Oxford University made it clear that the time has come for an industry-level push to accelerate the use of biometrics in financial services.”
That, of course, is easy to say but harder to do — particularly when there’s such a knowledge gap in the industry, Bhalla remarked. Only 36 percent of decision makers in mobile biometric implementation say they have adequate knowledge to make those decisions. But, Bhalla noted, while the knowledge gap is there, it’s possible to close it.
“This is a challenge with any new technology,” Bhalla noted, suggesting that although 36 percent is not a great answer, it’s not totally bad either. “I think it is good enough for us to start executing, but these 36 percent need to be the flag bearers so that we can accelerate these technologies into financial services.”
That’s one of the reasons that Mastercard partnered with Oxford — to begin bringing the overall industry knowledge on biometrics “up a notch.”
“We finally came up with a five-factor framework to really help financial services organizations around the world to understand and successfully deploy biometrics.”
The Five Factors
The five factors the study found specifically to be key for building out biometrics were: performance, usability, interoperability, security and privacy.
Performance, Bhalla noted, is the most obvious factor. Above all else, biometrics have to work.
“If we see a lot of false positive or false negatives, that means biometrics isn’t performing its basic task.”
But factored into performance, Bhalla noted, is also the idea of building multi-layer biometric authentication that looks holistically at all of the identifying data available in a mobile pay transaction.
“Using device IDs and the fingerprinting of a phone itself actually improves the performance of biometrics, since each phone has a unique fingerprint. All the device identification details can be combined to really evaluate the veracity of a transaction.”
Usability, he said, is in some way likened to invisibility — what the consumer wants in an authentication experience is basically touch-and-go simplicity — without adding any time to the mobile pay transaction.
“Our idea going in was the way all applications should be designed to work is that someone from a kid to a millennial to a grandmother should be able to use it with absolute ease. And the good news with biometrics is on a lot of our devices it is already out — it is about now tying in the technology that consumers are already embracing … We just need to make the next leap by bringing it into financial services.”
And not just this next leap, Bhalla noted, but also the future leaps, as it were. That, he notes, is the interoperability part of the framework — the idea that the technology on offer isn’t going to be an end point in biometric authentication, but a starting point from which future iterations will come. In some ways, he said, that means innovating in the dark, since no one has a crystal ball on what exactly is coming next. But, Bhalla noted, in other ways we have seen a lot of the shape of what is to come — and future proofing isn’t so much about being psychic as it is about building products that are ready to evolve.
“I think the cool thing about having a fingerprint and a face … [is that] it gives innovators room to design around building security around who you are instead of what you remember. We are now taking a fingerprint, putting it into an algorithm and figuring out a device to verify it. The way we have been recommending the technology to be built is make it multi-modular — with fingerprint, iris and facial recognition. The way we do these things will improve, but we can program that into the algorithm.”
For cybersecurity, he noted, again, the goal is straightforward: to make sure that biometrics can do as good a job (or better) of keeping consumer data out of the hands of people who ought not have it. In some sense, Bhalla noted, that is not so tough a challenge, since passwords have such a poor track record in this area — but that it is an issue where biometric systems are often hacked by intrepid YouTubers.
“There is a scalability in compromises with password breaches or in big data breaches [that] is just not possible with biometric hacks. So it might be theoretically possible to copy someone’s biometric data, but it is almost impossible to distribute that at scale the way you see with password and data breaches.”
Moreover, Bhalla said, the push in cybersecurity is making sure that the biometric data is read and authenticated in such a way that it is entirely within the device — what is transmitted is encrypted tokenized data.
Which, Bhalla notes, ties to the fifth key parameter, which is consumer digital privacy — and the certainty that that data remains locked to the consumer-controlled device.
“One of the big concerns that has been highlighted across the board is the fear that biometrics will be compromised — and they are not a thing consumers can change, like a password. And so this is about really keeping that data and that technology on the edge and very difficult to access.”
These practices, he said, particularly when taken together, represent the best practices in the biometrics space and the ways that it works best when it works for consumers.
Consumers — suffering through 90 passwords, daily account changes, an ability to access their accounts and security protection that is so-so at best — are ready for the change. Which means the obvious question is when is this change coming, if 93 percent of consumers and 92 percent of banks are ready to sign on?
And there are two answers to that question. In one sense — probably not soon enough for anyone who spent the morning fighting Google to access their Gmail account.
“Look, if I could make a wish, I’d do it tomorrow,” Bhalla said.
But, he noted, also probably sooner than most people think, given the exponential progress in the space.
“I think in the next five years we will see a massive change. We are pretty much at the crossroads of all devices being rolled out with a biometric now. I think devices have embraced it, there is a consumer hunger and the compromises and the breaches are extremely high — so I think we have all the factors which can make this a big success.”
Now, he said, the industry just needs to step on the gas — hopefully using the five factors as a guide — to get advancement accelerating.
We’ll keep you posted on the progress.