The username and password have long been the baseline method for protecting accounts, but for consumers and businesses alike, they’ve become a lose-lose. Nick Caley, Vice President, UK and Ireland, ForgeRock, explains why.
For consumers, the tipping point passed when the number of online accounts they held reached the hundreds, meaning they can no longer be expected to remember credentials for them all. Consumers now often reuse a single set of log in details, which they can remember across accounts. According to First Contact, 51% of people use the same passwords for work and personal accounts.
This jeopardises the security of every account because they are all only as secure as the weakest link. Recycled passwords and usernames are leading attack vectors used in data breaches; the World Economic Forum (WEF) found that four out of five breaches are caused by weak/stolen passwords.
The scale of this problem is clear from a range of research. Our Identity Breach Report found that over five billion US consumer records were breached in 2019 alone, with personally identifiable information (PII) accounting for 98% of all cases. With the pandemic having forced more of our everyday lives online, these numbers will surely only grow.
For businesses, research by Mastercard showed that the friction introduced by usernames and passwords can lead to lost revenue as a third of users forced to recover their password will abandon the log in process altogether. Additionally, password and username recovery leads to higher help desk costs; WEF estimates that the average annual large company spend on password resets is over US$1 million.
The foundation for passwordless, usernameless authentication has already been laid
So why the slow progress, especially since the technology and regulatory bedrock for passwordless and usernameless authentication is mostly in place?
Over the last 10 years, smartphone manufacturers, like Apple, have paved the way for this type of authentication and access technology to evolve from a vision into an everyday reality, beyond its initial application of mobile devices. Now software-based biometrics, which takes advantage of the high-quality cameras used in mobile phones, can allow for cross-platform biometrics without the need for special sensors.
Industry bodies, like the FIDO Alliance, have also been instrumental by promoting open standards that are more secure than passwords, easier for consumers to use and simpler for service providers to deploy – all principles which we’ve put into practice in our recent identity innovations, such as ForgeRock Go. In what was seen as a major moment earlier this year, Apple joined the FIDO Alliance – its technological advances in biometrics matching its public commitment to passwordless.
Moving towards a confirmation model of authentication
The first step towards passwordless and usernameless authentication is to examine whether and when you really need to authenticate and at what level. Ask: ‘How important is it for us to know who that person is, and how confident are we that we know who is involved in the transaction?’
In most instances, looking at the signals and context of a recognisable device or browser doing things that the user normally does, we can be somewhat confident that the user is who they should be. Clearly where there are transactions of consequence, we can verify that this transaction is being performed with adaptive and appropriate authorisation.
By adopting a mindset of confirmation rather than authentication where it makes sense, the user experience can become more natural, more like the real world.
If a company feels comfortable about who the user is, it doesn’t have to get in their way. If it does the job of knowing who the user is really well, then it should be able to reach a point where the user isn’t even aware that this is happening.
Even for heavily regulated sectors, like financial services, which are required to maintain relevant authorisation, this selective approach can still be beneficial. For example, when it comes to mobile apps, a bank could give customers more options for strong customer authentication to help drive adoption and enable greater levels of self service.
Behavioural biometrics: A game-changer for frictionless security and confirmation
While it is true that we have made great strides in standards and technological innovation over the last 10 years, we are still in the early stages of the biometrics revolution.
There are many more benefits to come as we move towards the next phase of adoption. Behavioural biometric authentication – whereby behavioural characteristics and contextual clues like GPS and interactions with a device are continually captured and evaluated to build a profile to confirm who a user is – could make the dream of continuous authentication a reality. This would allow businesses to embrace a more dynamic form of risk profiling and move to a model of confirmation – benefitting both parties.
In addition to the savings in time and money and fraud prevention, organisations can also build more comprehensive customer profiles. For consumers, behavioural biometric authentication promises greater personalisation, increased choice and, most importantly, better security without introducing unnecessary friction.
However, behavioural biometrics should not replace occasional authorisation as described above – the proper context should be assessed for when it’s appropriate – but in nearly all other instances it can help organisations confirm customers’ identities in the background.
The road is long but the benefits are many
So while Gartner estimates that by 2022, 60% of large and 90% of midsize enterprises will implement passwordless authentication in more than 50% of use cases, it is still true that many businesses are struggling to end their reliance on the username/password model.
By evaluating when authorisation is actually necessary using a confirmation mindset and adjusting customer journeys accordingly, organisations can lay the foundation for when behavioural biometrics become widespread to fully eradicate passwords and usernames.
In the end, for users, this will remove the need to remember or type passwords or usernames, leading to better user experiences and, for organisations, there will no longer be a need to store passwords/usernames, leading to better security, fewer breaches and lower support costs.