Thursday , November 21, 2024

Get Set for the Passage to Passkeys

The technology promises to thwart cyberthieves while simplifying authentication for consumers.

In the ever-evolving landscape of online transactions, the banking and transaction experience is undergoing transformative shifts, focusing on regulatory compliance and fraud reduction, while creating optimal experiences for merchants and their customers.

As the United States is the second-largest country in the world, and generates the most revenue in the e-commerce market, consumers will continue to choose to make purchases predominantly online. That means the payment experience has to align with the cybersecurity standards needed to protect consumer credentials. Luckily, banks are now moving in this direction through the use of passkeys.

Passkey authentication is essentially a modern, passwordless authentication system. It works as a real pair of keys that significantly improves security for banks. In fact, it allows end-user customers to create a strong and secure connection between a digital platform and a personal device in order to log into their accounts using cryptographic keys instead of classic passwords.

Passkeys are functionally replacing the username-and-password combination. However, they operate from a customer’s experience in just the same way as you would unlock your iPhone with face ID/touch ID biometrics or with a PIN. This method of authentication holds significant value for merchants, banks, and consumers alike, and continues to gain traction as a powerful tool in limiting fraudulent activity.

A Favored Choice

In the pre-digital era, security measures were straightforward, with consumers able to withdraw money, make transfers, and make online purchases with minimal identification, often relying on signatures or passwords. However, with the emergence of device-bound passkeys, user authentication of accounts is linked to a specific device, such as an iPhone or Android phone, where only the individual in sole possession of that device can perform that action.

While today’s digital age has made the consumer banking journey convenient through banking apps, plenty of cybersecurity risks still exist. This is especially true with some multifactor authentication (MFA) implementations that are currently in use.

MFA methods like one-time passwords (OTP) and SMS OTP were once introduced to mitigate risks, but they present various challenges for both customers and banks. These challenges include a clunky user experience, interception from attackers through fake Web sites, hidden costs for banks that have to deal with fraudulent activity, and a lack of control that compromises the user experience.

With consumers and regulators demanding the highest security standards, banks have repeatedly faced pressure to enhance security measures. As a result, passkeys have begun to emerge as a favored choice.

At the same time, consumers in at least some recent surveys have been expressing a preference for biometric authentication through passkeys, in large part due to online commerce increasing year-over-year. This was especially the case during this past holiday shopping season, when consumers set a new record for e-commerce, spending $222.1 billion from Nov. 1 to Dec. 31.

Eliminating passwords from the authentication process entirely is certainly gaining momentum. Multi-device passkeys, as well as device-bound passkeys based on FIDO (Fast Identity Online) standards, have created a secure and convenient alternative to passwords just over the last 12 months.

More recently, the world’s largest e-commerce platform, Amazon.com, rolled out passkey support on browsers and mobile-shopping apps. This effort has offered consumers an easier and safer way to sign in to their accounts. By eliminating the need to enter usernames or passwords—and by enabling users to seamlessly switch between devices—this feature has become increasingly valuable as consumers engage in online shopping across various channels.

As a secure and convenient approach, device-bound passkeys offer phishing-resistant, device-bound authentication, in which users that simply touch a thumb or glance at a camera for a two-factor authentication experience will feel as if they’ve offered just one factor. This not only enhances security during the online-shopping experience, it also ensures the process is as seamless and stress-free as possible for consumers.

Secure And Controlled

Looking ahead, true passwordless authentication should go beyond simple biometric authentication on the device. It should include device binding, providing regulatory-compliant two-factor authentication in one step. This advance holds immense promise for both consumers and financial institutions.

Balancing security and convenience based on transaction value, and leveraging biometrics discreetly for lower-value transactions, will support an adaptive approach that becomes especially crucial when transaction volumes soar.

At the same time, the implementation of OEM-independent biometrics to restrict access to authorized account holders on shared devices ensures a secure and controlled banking experience. This is essential when shared devices are common in households.

While passkeys represent a significant step forward, the potential of biometric-powered, passwordless authentication is vast, especially in the financial sector.

Meanwhile, merchants are especially intrigued about the fact that technology now exists that allows the use of secure passkeys that aren’t tied to a specific device. This is accomplished by associating passkeys with authentication technologies, offering even greater user flexibility and accessibility.

Beacon of Hope

The shift from passwords to passkeys emerges as a beacon of hope in the realm of online security. Through continued exploration and adoption of this transformative trend, merchants, banks, and consumers can be empowered with the knowledge they need to navigate this paradigm shift confidently.

Passkeys represent a leap forward in the ongoing quest for a safer, more secure digital landscape. By embracing passkeys, banks, merchants, and consumers alike can ensure a secure and seamless online banking and purchasing experience, with enhanced cybersecurity.

—Quintin Stephen is the global business lead/director for the Authentication Division of Giesecke+Devrient (G+D).

 

Check Also

Click to Cancel Effective Jan. 14 and other Digital Transactions News briefs from 11/21/24

The Federal Trade Commission said its Negative Option rule, also known as click to cancel, goes into effect …

Digital Transactions