Experts are just about unanimous in arguing the password must be replaced for digital authentication. But with what? Here are some considerations payments executives might ponder.
Commerce and banking are increasingly digital. E-commerce is growing 10% to as much as 40% in many markets, while brick-and-mortar growth is in the low single digits in the same markets. In banking, the transition to digital is highlighted by the shrinking branch footprint and the continuing rise in the use of computers and mobile devices for banking and payment activities.
At the same time that an increasing proportion of commerce is migrating to digital channels, the cyberthreat environment is continuing to escalate. Financial fraud is a big business that generates billions of dollars in illicit revenue every year for international organized crime rings. It has been fueled in recent years by vast quantities of breached personally identifiable information (PII), payment card data, and login credentials.
Criminals are making ample use of the data, resulting in rising levels of card-not-present (CNP) fraud. While, CNP fraud losses were flat in the U.S. in 2016, they are rising in 2017 at a rate commensurate with the growth in e-commerce as a whole, following the path of other countries that have migrated to the EMV standard.
This concurrent shift of commerce to digital channels, along with the rising tide of cybercrime, underscore the need for the industry to shift to new and better authenticators. Passwords as a security mechanism are dead, and have been for a long time. This message has come from Google execs, the U.S. government, and myriad fraud and security experts (including those at Aite Group) for most of this decade. Yet passwords are very much still part of the fabric of online banking and commerce, so rumors of their death appear to be premature.
One reason for this is inertia. Passwords are a well-understood mechanism among consumers and businesses. Moving to something different is not just a daunting task from an IT perspective. The far greater concern for many financial-institutiion and merchant executives is the potential disruption of the customer experience.
Consumers are generally quite comfortable using passwords to access their online bank account, with very little difference in attitude across the generations. Part of this comfort level can be attributed to habituation. The username/password combination has been around since the inception of online commerce, and consumers are quite well trained in its use.
Unfortunately, another key reason why consumers are so comfortable with using passwords is that the majority of consumers are only using a handful of username/password combinations across their online relationships. Millennials are the worst offenders, with 77% using between just one and five unique passwords across all of their online relationships. Sixty-six percent of Gen Xers and 57% of seniors use between one and five passwords across all of their online relationships. While the majority of Baby Boomers also use between one and five passwords across all of their online relationships, 32% of Boomers use a different password for each of their online accounts.
What To Do?
So the big question many in the industry are wrestling with is: What do we replace the password with? The answer is that there isn’t one single answer to the question. The industry has long seen that criminals can easily compromise any single-point solution, so we need to move to continual layers of authentication. Much of this can be transparent to the customer, with friction selectively applied based on the context and analysis of the transaction details.
The form of stepped-up authentication will ideally be tailored to customer preference, since what is comfortable for one consumer can be cumbersome for another. For example, while the fingerprint biometric is very easy for many consumers, getting a good read can be difficult for seniors or manual laborers, since fingerprints wear over time.
Similarly, specific solutions within a category will have varying levels of effectiveness based on differing vendor methodologies or sensor capabilities. For example, while fingerprints are quite reliable with high-quality sensors, the lack of liveliness checks in mobile phones combined with the relying party’s inability to link the stored fingerprint to a specific user somewhat degrades the effectiveness.
In some cases, there is a win-win, and more secure forms of authentication can also provide superior user experiences. A couple of examples:
– Replacing the clunky process of keying the username and password into the tiny mobile phone keyboard with biometric login for mobile apps;
– Using mobile-device identification to remove layers of friction when users contact a call center.
The concept of multiple layers of detection and authentication technologies has long been a best practice in digital channels. The key to successfully deploying these without disrupting the user experience is to ensure that solutions are well-integrated, not additive. Any friction should be appropriate for the risk of the transaction.
While intuitive in concept, sewing the layers of detection and authentication together in a way that works well and is nimble enough to evolve with the pace of fraud is a real challenge for businesses. Most FI and merchant executives acknowledge that their current environment is far from achieving this ideal, but many are on the journey to move beyond the password to better and more secure forms of security.
—Julie Conroy is research director at Aite Group, Boston.