With 80% of Data Breaches Involving Passwords, Their Retirement Cannot Happen Soon Enough

Passwords are, in a word, broken. We all know this — and yet we continue to use them almost reflexively.

“Passwords provide a poor user experience in part because you need to remember all of them, and they’re an insecure form of authentication,” Entersekt Digital Banking Product Manager Praveksha Maharaj told PYMNTS.

 

And they certainly don’t make us more secure. To get a sense of just how vulnerable passwords have rendered us as individuals, Maharaj said they’ve been used in 80% of data breaches and are part of the 15 billion compromised credentials that can be obtained through the dark web.

They’re also tied to friction in eCommerce, where shopping cart abandonment comes when we can’t remember whether (hypothetically speaking) we’ve used our mother’s maiden name or first dog’s nickname as part of our password. As many as 60% of consumers have abandoned purchases due to the difficulty of managing passwords, she said.

The conversation came against the backdrop of global FinTech Entersekt’s announcement that it has expanded its authentication suite to include Fast Identity Online (FIDO) authentication. The company said its FIDO2-certified solution offers an intuitive alternative to passwords and app-based authentication for logins and online payments, and it accepts roaming and platform authenticators.

Read more: Entersekt Adds FIDO Authentication to Security Suite

Moving Toward Standards

FIDO exists as an open standard for passwordless authentication. In terms of the mechanics of that standard, FIDO allows users and organizations to leverage the standard to sign into their resources without a username or password. The standard relies on security keys that are in turn built into devices themselves. More recently, the FIDO 2.0 method features the Web Authentication (WebAuthn) application programming interface (API), which has public key cryptography, and the Client to Authenticator Protocol (CTAP).

Passwords, said Maharaj, have relied solely on the “knowledge” factor — something the user has created and committed to memory, but which could be co-opted by fraudsters. But technological advances and the emergence of smartphones and biometric authentication have introduced unique inherent traits into the mix, including fingerprints and facial IDs. There’s also the “possession factor,” she noted, which extends to the actual device that’s in the consumer’s hands.

That multifactor approach is on track to become a standardized method of authentication, she said. Earlier this year, in collaboration with the World Wide Web Consortium (or W3C), FIDO published user experience (UX) guidelines to help enterprises streamline and make their sign-on experiences more user friendly as the authentication protocol is supported by more than 4 billion devices and all major browsers, including Safari, Chrome and Firefox. Those browsers, she recounted to PYMNTS, represent most of the browser market share globally, so adoption of passwordless authentication should scale quickly.

Elsewhere, and specific to payments-related activity within the financial services sector, are the FIDO Alliance and EMVCo, the standard that is being used in Europe to ensure PSD2 compliance.

“Industry consortiums have been able to move the needle for passwordless authentication,” she said.