The good thing about authentication that relies on your retina, fingerprint or face is that it doesn’t need to be alphanumeric and cryptic. That is secure convenience in a nutshell — to be able to pay for candy by staring at a screen or deposit a check with the swipe of a finger.
A major overhaul in the world of digital identity is the decided death of passwords. It will be slow but deliberate. And the reason it hasn’t happened already is because users won’t let it.
A few years ago, a couple of researchers from Cambridge University found that passwords, at best, serve as a psychological placebo. It’s about letting go of a ritual, which isn’t always easy.
“Efforts to replace passwords with more secure protocols or federated identity systems may fail because they don’t recreate the entrenched ritual of password authentication,” the researchers explained.
The study found that companies propagate the use of passwords as a means of “collecting data and building a relationship with a consumer” rather than for security. Repeating weak passwords across multiple sites — a regular habit among users — makes things worse as hackers exploit the weaker sites to attack the more secure ones.
“The recent series of serious, high-profile data breaches have forced the industry to think about an overhaul of some incumbent security protocols, starting with passwords.”
What Next After Passwords?
The next step in this evolution is establishing digital identity on the mobile and ensuring seamless security across connected devices. Security solutions provider HID Global predicted that in 2016, security will adapt to users’ habits rather than users having to get used to multiple-step processes. “Old ways of authenticating will be replaced by more satisfying alternatives,” the report said.
And that movement is gathering steam with two Internet giants, Yahoo and Google, ringing the death knell over randomly strung characters or cryptic passphrases safeguarding identities.
In October of last year, Yahoo announced that it was swapping passwords for Account Key, which establishes login credibility through notifications and prompts on the device.
Yahoo eased the users into this transition by encouraging users to forget their password. In March 2015, the company launched on-demand passwords, which allowed users to log in to their accounts using one-time passwords exclusively.
Google followed suit and tested device-specific authentication by letting users log in using their mobile phones. The company believes that the tool will prevent phishing attacks by hackers.
This proliferation is expected to eventually lead to establishing policies and standards for best practices — focusing not only on prevention, but also remedying cyber hacks and data breaches.
Making Biometrics Mainstream
The move to establish identity based on what you have (fingerprint, retina) rather than what you know (codes and passwords) is what makes biometrics a worthy substitute for passwords. The biometrics market is expected to expand to $44 billion by 2021 globally. The demand that was driven by law enforcement, border control and governments to issue IDs is going mainstream and entering the consumer domain where Touch IDs and facial recognition tools are already being used for logins. Pioneering these efforts is the financial services industry. Last year, JPMorgan Chase integrated TouchID into their mobile banking app for a seamless customer login that eliminates typing in a password. Similarly, MasterCard announced a “Pay By Selfie” feature that will make it possible for merchants to verify the identity of a shopper by looking at a photo of their face.
The latest data from Goode Intelligence indicated that there are at least 120 million customers using mobile biometrics on a daily basis for their financial transactions. The forecast shows there will be 16 billion mobile biometric payment transactions this year, and by 2020, the number of FinServ customers using biometrics to authenticate payments via mobile devices will skyrocket to 1.1 billion.
The movement is getting a consolidated push with organizations working solely on this. The Fast IDentity Online Alliance (or FiDO Alliance) envisions the future of digital identity as having a smart card in the pocket. From the user’s perspective, this could be a simple gesture that they are already used to, like plugging in a USB device or tapping a fingerprint sensor. “I would anticipate that in about two years you will start to get some standardization around the user experience,” said Rajiv Dholakia, board member at FIDO Alliance.
And the group has made considerable progress in pushing this forward. In November 2015, the World Wide Web Consortium (W3C) embraced the FIDO Alliance to making secure multifactor authentication a “built-in” feature on all browsers and platforms.
A recent survey signaled the audience’s comfort level while making the shift from passwords. A resounding 84 percent of respondents polled said they would support the total elimination of passwords, and 76 percent said they would feel safer using a different kind of authentication.
“And as more people opt in to the transition, in the coming years biometrics will have a huge role to play in taking security forward with convenience.”
The FIDO specifications being incorporated already consists of a two-factor protocol using a PIN or biometrics to link the user to the authenticator which will then allow the relying party (e.g. Google, PayPal, Bank of America) to assure that only that unique authenticator is present when they are encountered online.
While passwords are ubiquitous and incumbent, it creates more problems than it solves. And the plethora of apps and digital properties that require user verification have far exceeded to make convenience a factor not to be compromised on. The definition of secure convenience finds itself at an intersection of discovering scalable security practices that are robust and not easily replicable.
As more of them emerge, we’ll track it right here in the PYMNTS.com Digital Identity Tracker.
For more on the digital identity ecosystem, click here to take a look at the January edition of our Digital Identity Tracker, which helps identify the issues and trends that arise around the digital identity ecosystem.