Two things are true in our modern era:
1. The digital economy has changed pretty much everything
2. We have to remember a lot of passwords
Unfortunately, the deluge of individual passwords to remember is pushing the human brain’s memory capacities to the breaking point. It is safe to say customers have collectively grown tired of clicking the “forgot my password” button.
Further complicating matters, efforts taken by customers to remember these multiple passwords, such as writing them all down on one “master list” (and keeping them on your device) or re-using the same one for multiple sites, make the security situation worse. The problem is when this one file or re-used password is compromised, it places the security of multiple accounts in jeopardy.
Businesses are equally frustrated with the broken system. Requiring customers to remember passwords introduces “friction” in the transaction process, which in turn, can produce high rates of shopping cart abandonment and places additional demands on customer service departments and call center operations—driving up operational costs.
Given these facts, it’s not surprising there is an industry-wide movement away from passwords and towards authentication security models that rely instead on confirming the riskiness of the person’s device, and ultimately, their identity in connection to their device. Two big developments fueling this movement are device identification and biometrics (such as fingerprinting and iris scan software).
The widely accepted method of ensuring security in confirming a user’s identity is through two-factor authentication (2FA). This is the use of two different attributes—a combination of something the user knows (for example, a PIN number), possesses (such as an ATM card), or inseparable from them (for example, the user’s fingerprint).
As we’ve seen, the password method of authenticating a person’s identity (“something the user knows”) is no longer feasible as it places too much demand on customers’ memory. An improved system would instead rely on an attribute that is inseparable and unique to them, such as biometric information like their fingerprint and a second attribute that is something the customer possesses, such as a trusted device.
In fact, the use of biometrics can make transactions so smooth, they become “frictionless.” It is an experience customers love—once the person has used a biometric fingerprint to identify himself or herself, they more often than not, never want to go back to the old system.
Some online retailers, such as Amazon, have seized on this and have already introduced the use of biometrics in their shopping experience. This widespread deployment on a mass scale is expected to increase pressure on retailers, financial institutions, and other transaction-centric organizations to launch similar services.
While customer adoption of biometric authentication is expected to be rapid, technological progress in this area will not occur overnight. Completely eliminating the use of passwords is a process that may take years.
This is because work in biometric authentication has been traditionally done in company or industry-specific silos. But now the FIDO (Fast Identity Online) Alliance has emerged to break down these barriers and unite these disparate efforts by working to create an open set of standards so all participating members can agree on a methodology to securely authenticate users across industries.
In doing so, it is hoped the FIDO Alliance will help develop best practices for proper authentication and form a united front to guard against potential consumer compromise and breaches. At the same time, it is expected vendors and corporations will continue to operate independently of FIDO to lessen global reliance on the broken password system with a biometric approach.
There are, however, a few remaining hang-ups in the process. For one, Apple has not yet joined the alliance, which limits the market for adoption. There have also been some delays in the finalization of the FIDO 2.0 specification, leaving some corporations wondering if they should build towards the 1.0 standard or wait for the new standard to be finalized. Budgets are also a big consideration for corporations that want to move towards a biometric-based framework.
Also there are some fears and concerns that biometric information may be captured and compromised. Such fears are misplaced however as this risk is actually quite small if a standard architecture is widely adopted. In the FIDO example, the biometric identifier never leaves the device and therefore is never stored in a place that could be compromised.
Despite these remaining challenges and misconceptions, FIDO’s goal of establishing a common framework and accepted set of standards for simplifying and uniting how organizations authenticate devices will mark significant progress in moving away from the broken password-based security system. FIDO has the potential to set the bar in making transactions largely frictionless, which will benefit both consumers and businesses alike.