Passwords are no longer passing muster as a security or authentication method. The problem is quantity as much as quality. The average number of passwords registered to a single e-mail address is 130, according to password management company Dashlane.
With so many passwords, people choose memorable ones, reuse them across sites and write them down. It is no better in the workplace. More than half of workers reuse a small rotation of weak passwords and 42 percent admit to sharing passwords with co-workers, Dashlane found. The death of the password has been consistently mooted for at least a decade. However, its demise is being hastened by ineffective password security, changes in technology, plus regulatory, commercial and competitive pressures.
The rise in data breaches and identity theft is prompting a password re-think. The average total cost paid by breached organisations is around $6.5 million, according to Dashlane. Meanwhile identity fraud has reached record levels. 173,000 cases of identity theft were recorded in the UK alone in 2016. Identity fraud now represents over half of all fraud recorded by Cifas, the UK fraud prevention service, nearly 90 percent of which is perpetrated online.
Against this backdrop, Visa recently announced that it was eliminating the use of static passwords for its online authentication service, Verified by Visa, from April 2018. Elsewhere the PSD2 in Europe requires strong customer authentication for all electronic payments. Exemptions aside, financial institutions must perform two-factor authentication for face-to-face and remote transactions.
What is consumers’ attitude towards and understanding of various authentication methods? Research firm Aite Group surveyed 1,095 US consumers who used online and/or mobile banking to find out. Consumers across the generations are quite comfortable using passwords to access their online bank account. This can be partly attributed to habit. The username/password combination has been around for nearly two decades, and consumers well-trained in its use.
Unsurprisingly, ease of use was the most important consideration for all age groups when asked about their key priorities for their online banking service. Robust security and fraud prevention was also deemed very important by the majority of respondents. Those born before 1946 gave this equal weight with ease of use, with more than three-quarters saying both were very important.
Consumers are broadly willing to switch to alternative identification and verification methods. The Aite Group found a clear correlation between consumers’ openness to change and their age. 48 percent of millennials indicated that they were very willing to switch methods, with another 47 percent somewhat willing to change. In contrast, only around 15 percent of those born before 1946 were very willing to learn new methods.
Changes in technology are challenging password dominance. Advancements in smartphone cameras and fingerprint sensors enable the capture and verification of biometric details. This makes new authentication methods, such as fingerprints, finger vein, facial, voice or iris recognition, eye print and heartbeat, possible. The smartphone itself can also become a type of trusted token through the analysis of various device-related factors. These include build information, media details, usage, application and location data. Any sudden changes in categories of data could indicate possible account takeovers or impersonation of the true user.
Blockchain or distributed ledger technology offers an alternative way to organise identity systems, access and ownership of data. “Solutions you put in place are not the property of one single owner,” explains Simon Wilkinson, operations director, Tradle, a company putting KYC data on the Blockchain. “The way we have implemented our solution, it won’t be our property or data. It belongs to the owner and is shared with organisations that they interact with.”
This puts the individual in control of their own data and makes it portable between organisations and across borders. This streamlines on-boarding by removing repetitive KYC processes and reliance on paper-based identity documents. It de-risks transactions and saves considerable time, cost and effort for both institutions and customers. This is key as the administrative overheads associated with AML compliance alone last year was around $10 billion, according to Goldman Sachs.
Biometrics, trusted devices and Big Data authentication techniques will influence the decline of passwords. However, they are likely to live on as a secondary or fallback authentication factor. In the same way, plastic cards continue to be embossed and contain a magnetic stripe many years after the introduction of EMV chip. This is to maintain interoperability in the face of legacy systems, processes and equipment. The history of the payments industry is additive rather than subtractive, so when it comes to the death of the password, it could well be a case of passwords are dead. Long live passwords!