Why It’s Not Up To Consumers To Fix The Recycled Password Problem

Despite all the digital advances and connectivity achievements that facilitate our daily lives, one simple fact still threatens the stability and security of the entire enterprise: 50 percent of us still recycle our passwords.

It may seem like a small problem that is relatively easy to fix. Still, Bill Leddy, vice president of authentication and identity at LoginID, told PYMNTS it is far more threatening and potentially more damaging than it might appear.

“I don’t think we can blame the consumer” for the firmly entrenched passwords, Leddy said, adding that stakeholders need to educate consumers about the convenience factor of authentication standards. He noted that security and privacy — and deployment — have largely been satisfied as secure logins have been built into all major operating systems and browsers.

But “while the individual FIDO strong authentication standards are there in the devices, they’re not always well presented in webpages,” he said. But he noted that the FIDO Alliance UX Task Force had put together guidelines as to what that end-consumer experience should look like as a target.

With a consistent experience in place, he said, consumers will recognize that strong authentication can be part and parcel of a good eCommerce experience.

“More consumers will understand the benefits of using this instead of having a password keeper or reusing passwords,” said Leddy.

That will especially be the case when it comes to payments — and as delegated authentication programs roll out through the next year and beyond. Leddy said merchants would jump on board and help with the necessary consumer education in a virtuous cycle.

Strong authentication and high-tech identity processes, he said, are especially useful at the point of onboarding.

At The Point Of Onboarding

“If the consumer can come and present an identity, instead of having to fill out the same form each time, then we’re going to see a lot of benefits in terms of security and convenience for consumers,” said Leddy. At the same time, issuers and merchants will see declining rates of “drop off” when consumers encounter sites.

At a high level, strong authentication in FIDO, and a strong identity (with valid identity information originally provided by the user), he said, “is where the intersection, or the union, of authentication and identity come together, where you can go to a website or some app and just [authenticate with your biometric/FIDO, which is now tied to your identity, and now] a third party can say yes, ‘indeed that’s you.’”

The process, he said, puts a lot of privacy in the hands of the consumer because they get to control who is seeing their information.

Yet currently, there still are some stumbling blocks. Many banks and financial institutions (FIs) are still not deploying liveness checks in their biometrics. Given mass remote onboarding activity, he said, biometrics still can function, leveraging liveness checks, too.

“Basically, if someone comes to a site and swipes their finger using FIDO,” he said, “that is a liveness check right there.” A swipe gives a credential back that can be reused (and where devices are ubiquitous), he said. And if someone tries to create an account 20 times within the span of 15 minutes, FIs can be on the alert for a velocity attack — without incurring costs and friction downstream. And, he said, onboarding without smartphones might point to bot attacks.

If a merchant or an issuer is not ready to build and integrate FIDO on their own yet, they can use a hosted service provided by companies like LoginID, which has created simple application programming interfaces (APIs) to integrate FIDO, he said, adding that “all [customer] onboarding should start with a finger swipe FIDO authentication before you proceed to any other steps in the process.”

Such high-tech and biometric-based defenses can make it expensive enough so that the fraudsters take their schemes and attacks elsewhere (they’ll conceivably have to hire individuals to stage attacks, as automated attacks will have to be abandoned).

Strong authentication will become more firmly entrenched beyond onboarding and will be used for government services — but will find particular promise in payments, he said, where real-time payments are gaining ground. As has been well reported, those transactions cannot be reversed, so relying solely on risk models becomes a vulnerability.

As the Internet of Things becomes more commonplace, he said, every device should be able to make or take payments on behalf of its owner. He pointed to secure device onboarding for those devices via the FIDO standard recently released by the FIDO Alliance — which helps craft a “secure channel” to initialize those devices and connect them to identities.

As he told PYMNTS: “The reward for solving authentication is now you have to solve identity — and identity is a much tougher problem. The good news is … having identity and strong authentication tied together is going to enable a broad range of new experiences.”