We Need to Talk About Passwords...

A little while ago I finally got round to upgrading my mobile to the latest iPhone. The experience had changed a little (for the better since my last upgrade, anyway) and all I had to do was place my old iPhone near the new one and everything was ‘set up’ for me. All my apps, data, photos and everything else were ported across to allegedly make the switchover seamless and frictionless. That was great until I started opening a few of the apps. Some of the passwords hadn’t synced across and some of the apps were behaving as if I’d never even registered with the organisation – they were treating me as if I was basically a brand new digital customer and I got thrown into a registration journey! The ‘hoops’ I then spent a considerable amount of time jumping through then made me seriously consider whether I wanted to be a customer of that particular brand….

Fast forward a couple of months and I start an exciting new role with Transmit Security and receive my shiny new MacBook. Signed into iCloud for the first time, which is great – all my lovely usernames and passwords are stored in the iCloud Keychain, so I don’t have to worry about forgetting them. However, the problem came when iCloud starts alerting me that security risks are found in 431 online accounts (how did I ever end up with 431 online accounts??!!) and that the security recommendation is that I go to each account and change my password due to it appearing in a known data leak! Thank you Apple for highlighting these security concerns but really the problem is related to the fundamentals of “passwords”. Password management solutions such as those provided by Apple, Google Chrome and Microsoft help alleviate some of the pain, but the real solution is to remove passwords altogether. Which got me thinking, why is all this so infuriating and how did we get to this point with passwords?

Passwords themselves have been around since ancient times, and specifically used to login to computers since 1961, but it took a long time for us to realise that maybe they are not the best way to let people into your digital front door. That might be a major understatement if you’ve ever visited the haveibeenpwned website and been utterly depressed at the number of times your email address (and more) have been compromised in a data breach by one of the many organisations that you’ve trusted with your personal data.

Passwords are also at the root cause of account takeover - they are very easy to steal and they result in real customer friction and frustration. In fact, in recent years, it has been so universally recognised that passwords are bad for consumers and bad for enterprises, it has led to the development of second factor authentication, things like one time pass codes, SMS, or specific mobile apps, to try and increase the level of security at the expense of the customers experience. But the problem here is that many consumers have said that they don't actually download the mobile app or are wary of responding to text messages from unknown originators. So, passwords have had a huge negative impact on businesses for years now.

Also, there is often a very real cost of passwords that gets un-noticed by a lot of businesses today. The perception is that despite the security risk, passwords are a low-cost and easy solution, but the reality is staggeringly different. The FIDO Alliance ran a survey in December 2020 that uncovered the following:

·     58% of respondents have abandoned purchases due to the difficulty of managing passwords;

·     92% of users will leave a website when confronted with a process to recover or reset their credentials.

At this point in time we seem to have arrived at a real tipping point where the support of new standards (FIDO & WebAuthn) by browsers such as Safari and Chrome, alongside the rapid adoption of biometrics means that it feels like we are now entering the end game for passwords. In fact, by 2024, Juniper Research, in a report published in January 2021, predicted that biometric facial recognition hardware such as FaceID integrated in iPhones, will be deployed on more than 800million mobile devices, respectively 90% of smartphones.

If you’ve used the e-commerce behemoth, eBay, recently, you might have noticed something different. eBay now detects if the device being used to log-in supports the FIDO-2 standard. If so, the user receives a pop-up asking them if they would like to enrol in passwordless. If they do, they are asked to enroll their facial or fingerprint biometric and then the next they log-in, no username and password is required – all the user needs to do is present their biometric. Less than a year into their journey to eliminate passwords completely, eBay are already reaping the benefits. Login success rates and completion rates have dramatically improved. More information on this can be found here: https://media.fidoalliance.org/wp-content/uploads/2021/02/Fido-ebay.pdf

There are undoubtedly a number of very different solutions that have been available for a good few years now that all seem to offer passwordless as an approach. So what should a passwordless solution look like for today’s modern enterprise? It goes without saying that it should be aligned to modern standards such as FIDO and WebAuthn. At Transmit Security we have developed and launched a truly unique approach – our BindID Authentication Service. This is a true SaaS solution that offers three key aspects that we feel are critical to offering a complete solution and that when combined give us a position in the market which is unrivalled.

1.    Passwordless Experience – Strong authentication with device + biometrics. No username and absolutely no app or anything else to download;

2.    Identity Portability – BindID allows you to register the customer’s identity once and then authenticate the customer the same way across all channels, applications, and devices;

3.    Infrequent Users – where customers are not logging in regularly and have forgotten usernames and passwords, or changed devices since they last logged in. BindID avoids recovery and reset processes that are not only unfriendly but are also prone to account takeover.

We believe that the case for passwordless is now so compelling, that the question should no longer be if you are considering a passwordless project but when. Because if you don’t, your competitors will.

More information on BindID can be found here: https://www.transmitsecurity.com/bindid