Digital Transactions Authoritative, insightful and timely information for payments professionals
Pundits have predicted the demise of the password for years, yet the simple user-name-and-password combination lives on, frustrating security pros and helping to fuel a spiraling epidemic of data breaches. The reason for the password’s longevity lies in its familiarity compared to newer, more effective authentication methods, says a report released this week that looks at how the payments industry could finally get consumers to adopt at least some of these alternative technologies.
It’s not that consumers are wildly in love with passwords, says the report, “Moving Beyond the Password: Consumers Views on Authentication,” issued by Boston-based consulting firm Aite Group and sponsored by iovation Inc., a Portland, Ore.-based vendor of device-authentication technology. Indeed, they typically use only a few passwords across multiple sites to avoid the frustration of not recalling the password they need for vital functions such as banking or payments, says the report.
Instead, consumers simply find passwords easier to use than alternatives. Compared to seven other authentication methods, the 1,095 consumers surveyed for the report rated the user-name-and-password combination the easiest to use, edging out fingerprint scans. For the report, Aite surveyed consumers in four age groups—seniors, baby boomers, Gen Xers, and millennials—who use online banking, mobile banking, or both.
But what this result may really reflect is how familiar consumers are with passwords, which have been in wide use since the 1990s, and how unfamiliar many of them are with the alternatives. For example, consumers ranked device location and recognition fourth and sixth, respectively, on the ease-of-use scale, even though neither technology requires any action by the user. Ranked last is voice recognition, another technology that places few demands on users.
“People just don’t get this stuff,” Julie Conroy, research director at Aite and author of the report, tells Digital Transactions News. “It points to the need for much better education by age group.” For the survey, Aite provided what Conroy calls a “brief description” of each authentication method.
Consumers also have little if any incentive to abandon passwords for an alternative, Conroy points out. “Consumers have no skin in the game” in the case of a breach, as financial institutions typically reimburse them in full for any loss, she says. For consumers, she adds, the loss is a “momentary inconvenience.”
Yet, consumers’ attachment to passwords has led to a crisis in data security. More than 6 billion data records have been compromised by hackers since 2013, according to the report, providing plenty of grist for criminal mills turning out a rising tide of account-takeover and application frauds that are “hitting [financial institutions] and merchants alike,” says the report. User names and passwords, sometimes in clear text, are commonly harvested in these breaches.
Aite recommends a number of steps to help wean consumers off passwords. One move is to encourage more mobile use, where password and user-name entry on a tiny screen is inconvenient, and where technologies like fingerprint recognition are a natural fit. Another tack is to start with authentication that runs in the background and then add further methods depending on risk. Having such an arsenal of alternative methods on hand leaves alternatives available if thieves compromise any particular method and also creates an opportunity for consumers to choose a method they’re comfortable with.
The report also recommends that banks and payment providers open their wallets a little to induce users to move to new authentication methods. “As Starbucks has shown with the success of its mobile app…consumers respond to incentives, and the research shows that millennials will be particularly responsive,” Aite says in the report.
