Is It Time To Retire Passwords For Digital Authentication?

Is It Time To Retire Passwords For Digital Authentication?

Even if one tried, it would be hard to ignore the near-constant reports of data breaches. Based on the flurry of consumers scrambling to get their $125 settlement from Equifax, data security is an issue with far-reaching consequences.

In fact, the reported number of exposed consumer records that contained sensitive personally identifiable information jumped 126 percent between 2017 and 2018.

The latest Digital Identity Tracker delves into the issues digital identity players are facing and explores alternate digital ID authentication methods that could be more secure than conventional passwords and other commonly used methods.

The benefits of digital IDs might seem apparent – especially among financial institutions – but consumers aren’t fully on board yet.

PYMNTS’ Digital Identity Lifestyle Capsule found that 45.2 percent of consumers rely solely on passwords to keep their digital identities safe, and an additional 73.4 percent said they were “very” or “extremely” satisfied with their current authentication options, indicating a knowledge gap surrounding security best practices.

This was similar to other findings that show 59 percent of consumers use the same or similar password for multiple accounts. Only 55 percent of consumers would change their password even if their account was hacked.

On the other hand, passwords are the most common authentication method used by financial services, eCommerce and healthcare companies, so this is what is familiar to consumers.

Conventional methods like knowledge-based verification have come under fire recently. A report from the Government Accountability Office (GAO) found that several government departments still rely on the three big credit agencies – Equifax, Experian and TransUnion – to verify a person’s identity, and advised against using data obtained from these companies.

This led the National Institute of Standards and Technology (NIST) to issue guidance after the 2017 Equifax breach that prohibits the use of knowledge-based verification among government agencies. “It’s distressing to us that, in the GAO report, agencies are still using knowledge-based verification for authentication purposes [when] it’s clearly vulnerable,” said David Temoshok, senior policy advisor for the Trusted Identities Group at NIST. 

But what are the alternatives to knowledge-based verification and PIN-and password-based authentication systems?

Biometrics

Facial recognition got a boost when Apple added it (in addition to fingerprint recognition) to the new generation of iPhones. Some facial recognition offerings allow users to upload selfies, which are then compared to 3D facial maps that are established when users create their accounts.

The downside? Fraudsters can still game the system by using photos of users, and biometrics also gets a bad rap due to privacy concerns.

To combat biometric fraud, there is also a growing interest in liveliness detection, which requires users to perform defined actions during authentication that are much harder for potential hackers to replicate.

According to the Digital Identity Lifestyle Capsule, consumers reported single-digit usage of biometric authentication options like fingerprints, facial recognition and voice recognition. This low usage reflects that the technology is still emerging.

Artificial Intelligence 

Artificial intelligence (AI) is also being used to enhance liveliness detection and is being leveraged for security purposes, such as anomaly detection and the verification of physical identification methods.

Deep learning algorithms can define baselines for typical customer behavior, flagging and reviewing transactions it finds unusual to determine their likelihood of being fraudulent.

The use of AI to verify physical IDs like drivers’ licenses or passports is still new and can result in false positives. It can be taught to accept these changes, resulting in fewer false positives, but loosening standards could cause more fake IDs to be accepted.

In addition to AI, banks and fraudsters are using neural networks and other behavior-based learning systems to protect or breach financial systems. While businesses apply neural networks to authenticate customer behavior for identification, cybercriminals can use the same tools to mimic legitimate user behaviors.

Blockchain

The pros of using blockchain for digital ID security is that these systems store data in

sequence, making it difficult for fraudsters to access information without leaving evidence. Additionally, consumers can control their own data with blockchain, which is seen as a positive by privacy advocates.

Companies like Microsoft and Fujitsu have been working on developing blockchain-based ID systems to offer greater transparency and security.

Blockchain, however, requires a high level of trust among all parties, since no central overseer is involved.

All methods of digital ID security and authentication come with benefits and drawbacks. To stand a chance of consumer adoption, they will need to be seamless and more convenient than old-school passwords.