The password doesn’t get a lot of love these days, and not for entirely unfair reasons. Consumers in 2019 are well past the point where they have a few digital relationships such that they only have to remember a password or two — they have dozens, if not more, and trying to keep the mix of letters and numbers straight for each site can be a bridge too far for most of us.
It’s all a bit unfair, Stephen Maloney, EVP at Acuant, told Karen Webster in a recent conversation, because truth be told the password, when properly used, can be just fine as a method of authentication. It’s just that the proliferation of passwords means it is almost impossible for any human being to use them right.
Doing it correctly, he noted, entails using strings of nine or more characters, with a mix of symbols and uppercase letters — and then using a different one for every different digital relationship. Hardly anyone can do that. And while Google and Facebook can act as the auto-repositories for all passwords —solving part of the problem — it does create the small issue that if someone should gain access to or control of those master accounts, they have “the keys to the kingdom,” according to Maloney.
Which means the password, despite its persistence, is in decline. There is a life and usefulness for it as an identification method, he said, but it’s a diminishing one.
“Passwords are particularly being diminished in the corporate space,” Maloney said, “where you run the risk that one errant person can leave a door open for potential hackers. We’re going to see multiple kinds of protections in order to protect and safeguard corporate databases.”
The same should be true of securing individual data, he said, but consumers are a little more complicated and have demands far more varied by context. Broadly, he noted, consumers want to eliminate friction while remaining secure — and the future of replacing the password will be in offering the right technological innovations in the right contexts to fulfill both of those needs.
The Consumer in Context
A customer taking an Uber ride or ordering with the help of Alexa, Webster noted, isn’t using a password to authenticate either of those transactions — but feels secure enough because of the underlying security infrastructure to be unworried by that fact.
As a matter of technical fact, Maloney said, that customer probably could worry. If someone makes off with your phone, they will likely be able to fraudulently order up an Uber ride if they can figure out how to bypass whatever biometric authentication is on the device, he pointed out. But it’s a low risk for the consumer, he said, because Uber would reimburse them, and it’s a low risk for Uber because it is very unlikely to lose millions, or even thousands of dollars to that type of circumstance.
So, change the context or type of transaction — and change the customer expectation, he said.
“Therein lies the challenge for all of us. Find that balance between the consumer journey they’re on and how much friction they are willing to tolerate in their lives for it,” he said. “When I’m moving $500 or $5,000 between my bank accounts I might be willing to tolerate a little more friction and time than I am when I am waiting on a latte at Starbucks.”
And those contexts are going to make a difference in what kind of technology or authentication solution is going to come into play — because, he noted, it’s not going to be a single answer that dethrones the password so much as a variety of possible combinations of authentication methods, active and passive. It might be a matter of consumers using the mobile technology in their hands — and requiring a biometric marker like a fingerprint scan or sending a selfie. It might mean using geolocation technology in the background, to make sure the device trying to do the transacting is in the location where one would expect the consumer to be.
“You’re seeing the de-evolution of the password as alternative technologies come to bear and we are going to see different geographies adopt different use cases as needs and cultures vary,” he said. “I think right now we can see document authentication, facial liveness and voice coming up as big opportunities.”
The Evolution of Authentication
While not a perfect metaphor, there are some similarities in how authentication is evolving to how payments have evolved, Webster and Maloney agreed. Starting with cash, payments evolved through checks, credit cards, debit cards and now into a whole host of emerging and growing forms of digital payments — where use is generally dictated by customer need or preference.
“If think you are seeing a path that somewhat resembles that, we are not going to see the password die overnight, but its use and utility are going to diminish over time,” he said.
What he hopes to see arise, Maloney said, is a notion of “self-sovereign identity,” wherein everyone owns their identity and how they use it. The technology to enable that exists today, Maloney noted, but deploying it, finding acceptance for it and fully sketching out the use cases for it hasn’t been solved yet. And in reality, he said, those challenges will likely be on the table for the next five-plus years.
But in that time, there will be progress in a variety of areas, he said. For innovation in authentication, he said, the places to look are where firms stand to lose a lot from failure to authenticate the individual or bot conducting a transaction.
“One axis is high value or high risk,” Maloney noted, “another axis is the need for compliance or highly regulated. The sweet spot there, obviously, is high value and highly regulated.”
These are the places where the greatest assurances are required, and they are key to the innovative path forward because innovation tends to “percolate down” from them.
There will also be the race among players like Google, Amazon, Apple and others to keep innovating on that consumer experience.
“You’re going to see us and other folks working to take friction out of the equation,” Maloney said.
That might be in digitizing credentials, or in pushing more of the work of authentication behind the curtain instead of in the consumer’s face.
None of it will kill the password overnight — any more than the emergence of digital payments has destroyed cash. But it will mean the password will stop being the central authentication player in much the same way cash was ousted from the center of transactions. Because what consumers want, as much as they want to be secure, is for their digital journey to be easy — and they’ll follow the path of least resistance that is provided to them.