Moving the Passwordless Future to the Here and Now

Entersekt, podcast, PYMNTS

Even amid the great digital shift, some things haven’t changed.

“Many people still love to hate passwords, and still have to wait for authentication requests that [often only] come through [via text] every now and then,” Gerhard Oosthuizen, chief technology officer at Entersekt, told PYMNTS in a recent conversation.

Relying on short-message service (SMS) and other friction-filled verification methods can cause online shoppers to abandon payments mid-transaction — or leave the merchant’s site entirely. The financial institution processing the payment loses out, the retailer loses out and the consumer leaves empty-handed, so to speak, all because of the constant fight to fend off fraud.

But authentication has indeed evolved, in ways that can streamline and improve the consumer experience — and in ways that improve loyalty to merchants.

That’s presenting a new challenge of its own: making people aware that there are new approaches to and offerings in authentication that are out in the field, ready to be embraced.

Oosthuizen offered a few examples, including instances where companies capture how consumers use their devices, leveraging behavioral analytics to determine how individuals type and enter data — and whether they are legitimate users and not bots. Geolocation, as another example, helps triangulate where a device is versus where a would-be fraudster says the device is.

The Fast Identity Online (FIDO) Alliance also provides another avenue, he said, allowing devices themselves to authenticate identities whenever a user unlocks their phone. Many of the big technology firms are joining this approach, with Microsoft, for example, now allowing customers to remove passwords from their accounts.

What Lies Over the Horizon

There’s now a “resounding echo” throughout commerce, where passwordless checkout has always been just over the horizon.

No matter how authentication evolves, a few overarching principles will be inextricably part of the equation: Users are best protected when they present something they have, something they know and something they are. Current initiatives use at least two of those factors to better authenticate individuals.

“There’s a better use experience and there is less chance for friction and challenges with this process,” which also has been condensed, he said, especially as Apple, Google and Microsoft have signed on.

“We can actually use the operating systems and access them via the browser, so there are a number of ways now that we can make that authentication journey available wherever you are as the customer,” said Oosthuizen. That seamless quality takes root as authentication is enabled across all devices.

Read also: Apple, Google, Microsoft Expand Support of Passwordless Sign-Ins

He said efforts by the FIDO Alliance and the World Wide Web Consortium, along with universal standards for authentication, will lead to ubiquity.

While Apple and Google are well known for their “Log in with” function for federated authentication, where consumers can use their Apple or Google account to gain access to a third-party account, the new solution enables any party to issue specific keys that Google or Apple cannot use.

“The new technology is actually really well designed for that,” Oosthuizen said. “So, while it is delivered inside the operating system, you can create a ‘key’ that is specific to, say, bank.com and is not shared with any other company — and it’s unique to you.”

For payments, he said that strong authentication and application programming interfaces (APIs) will foster friction-free commerce — where pop-up authentication requests tied to biometrics will let users just “touch” their IDs to go ahead and use their Mastercard, Visa or Amex credentials.

That smooth, intuitive commerce is coming, the Entersekt executive told PYMNTS. As we move toward the passwordless future, he said, “Things happen slowly — and then things move very quickly. That’s where we are with authentication.”