Consider this your official notice: passwords have reached end of life (EOL). We’ve heard that the password has been on its deathbed for years. It’s been a long life for a technology created in the early 1960s, but it really is over. In a final salute, MIT Technology Review ranked “The end of passwords” in the top spot on its “10 Breakthrough Technologies” list of 2022.
Indeed, passwordless authentication is worth celebrating, but every EOL requires a strategic plan to ensure a graceful transition. The good news is distinctly different passwordless methods and solutions have matured to handle both employee and customer use cases. With the convenience and ease of passwordless authentication, it’s now possible to smooth the transition for your customers enough to achieve 100% adoption. This article explains how.
First, let’s explore why ditching passwords is so essential.
Passwordless proof points
Until now, most predictions of passwordless have focused on authenticating the workforce. After all, an enterprise can control how its employees log in and even enforce the use of passwordless solutions. Google did this in 2017 for more than 85,000 employees and hasn’t suffered a successful phishing attack since then. Going passwordless can prevent most attacks, given that 61% of threats target credentials, based on Verizon’s 2021 Data Breach Incident Report.
Why customer accounts are higher risk:
Think about your customers who regularly access your mobile apps, websites, service desk, and other channels. Their accounts face greater risk since your organization has little control over their devices, operating systems, browsers, and apps. Plus, consumers tend to be careless with passwords. Up to 84% reuse the same password for many accounts, according to Bitwarden. They’ll also use weak passwords if given a chance — they’re easier to remember, after all.
Hackers take full advantage of our poor password habits by using credential stuffing, credential cracking and other tactics to test thousands of logins across the web. Aided by bots, account takeover (ATO) fraud is a booming business. According to a 2021 report by Juniper Research, ATO costs U.S. companies $26 billion in a single year.
With an urgency to address this problem, Apple, Google and Microsoft just announced plans for a complete shift to passwordless customer authentication. Companies that don’t ditch customer passwords will be left in the dust.
Stacking MFA on top of passwords must end
For too long, we’ve tried to address the weakness of passwords with a reactionary patchwork of security protocols such as SMS one-time passwords (OTPs), security questions and other friction-filled multifactor authentication (MFA) methods. It adds complexity and cost to your security stack and frustrates customers.
A Fast Identity Online (FIDO) Alliance survey shows that 60% of consumers have abandoned a purchase because they forgot their password or were forced to set up a new account. Likewise, a Transmit Security survey found that 92% would rather leave a site than recover or reset their credentials. That’s lost revenue.
Passwordless built for customers
Passwordless for customer authentication presents a unique challenge. Unlike workforce scenarios, you must carefully consider how you change or mandate new authentication mechanisms.
At the same time, many digital identity leaders are too conservative when planning passwordless customer adoption. Prospects and customers often tell us their first-year goal is to switch 5% or 10% of their customers to passwordless. We believe these goals should be much more aggressive. Let’s explore why and how to execute.
Passwordless is smoother and more secure
There are several factors in your favor when switching to passwordless customer authentication:
1. FIDO Authentication standards, developed by the FIDO Alliance, is an open standard for device-based passwordless MFA — leveraging the strengths of public-key cryptography (PKI). FIDO-certified solutions are easier to use and far more secure than passwords and SMS OTPs combined.
Focusing on collaborative synergies across sectors, FIDO is backed by industry leaders, including board members from Microsoft, Google, Apple, Wells Fargo, Bank of America, Mastercard, Visa, Intel, VMware, Transmit Security and others.
2. FIDO is much more than biometric authentication. But it’s worth noting that an estimated 80% of active phones support biometrics in North America, Asia Pacific and Western Europe as of 2020, according to a Statista. With a fingerprint or facial ID, customers can log into your site similar to the way they unlock their phone. It’s easy and familiar.
Customers achieve secure one-tap or one-look MFA with their biometric (something they are) and a private key (something they possess). The biometric and private key never leave the customer’s device. Instead, the private key signs the authentication challenge locally. With PKI, there’s nothing to intercept or steal. You no longer have to manage and secure repositories full of credentials that hackers love to target.
3. There are many passwordless authentication methods, making it possible to offer password-free login options that work for all customers, including those who are not able or ready to use biometrics. Authenticating customers with an email magic link, for example, is a type of passwordless login that most anyone can use, and it’s more secure than passwords.
With the right solution, customers can also use a biometric-enabled device to log in to an account on a non-FIDO PC, laptop, or mobile device. You can even support customers with cognitive or physical disabilities, making the digital world more accessible. The most advanced passwordless solution addresses every possible scenario and customer flow — so you can completely eliminate passwords — starting with registration through the entire customer journey.
4. Customers want easier, error-free access. According to FIDO, 68% prefer fingerprint or facial ID over traditional two-factor authentication methods. In a survey by Experian, 77% said using biometrics feels most secure. The same study showed that 62% think it improves the experience of managing finances or payments online.
Boosting customer adoption to 100%
As with any end-of-life product, you need a clear roadmap for replacing that old, EOL’d technology, in this case, password authentication. To gain all of the advantages of passwordless, be bold — aim for 100% customer adoption. Just be aware that a few factors could inhibit customers from making the switch if you don’t address them directly.
1. For some people, passwordless authentication may seem less secure because it’s so effortless. Passwords, especially combined with OTPs, require more effort and, therefore, might feel more secure. Customers must be educated and assured that passwordless authentication is more secure than what they’re currently using. Encourage them with prompts like, “Use a password-free login to secure your account and prevent fraud.” It can be in the login UI, a pop-up window or presented as an option during a password reset process.
2. Many people worry their biometric data could be stolen or misused just like a password. They’re stuck in the old paradigm of shared secrets. Assure them that their biometric data remains safe on their device with FIDO-based authentication. If done correctly, biometrics are never shared over the internet or stored in a database.
Instead, the customer’s biometric unlocks the cryptographic keys, and the private key signs an authentication challenge locally on the customer’s device. The biometric data and private key never leave the device. Only the signed challenge (void of any identifying data) is sent over the internet. The public key determines if it’s a match, and if so, the customer gains instant access to their account.
3. Passwords and usernames are incredibly portable. It doesn’t matter what device they’re using; customers can log in with a username and password. By contrast, passwordless customer authentication based on the FIDO standard is not inherently portable. Very few solutions have solved this challenge.
With the right solution, however, offering device binding and unified, cross-platform identities, passwordless authentication enables customers to switch devices, browsers and channels freely. And because passwordless can be quite seamless for the user, there is little-to-no friction when customers move from one channel to another or switch devices. Passwordless done right delivers a smooth omnichannel experience on any device.
4. Passwords are ingrained in your legacy authentication flows. Think about registration, account recovery and deregistration. For many companies, passwords remain at the core of those processes. Unfortunately, those same flows are often the most frustrating for users and vulnerable to compromise.
To avoid this, select a passwordless solution that addresses all of your user scenarios and flows without requiring passwords at any point. Passwords that lurk in the shadows still leave you vulnerable to the most common attacks. The only real solution is to eliminate passwords — completely.
5. High adoption rates of passwordless authentication should be your goal. Here’s how to reach 100% customer adoption:
Automate it: An increasing number of companies, like Google, Amazon, Wells Fargo and most banks, now mandate MFA using SMS one-time passcodes (OTPs). It’s no longer optional. These companies acknowledge that this adds friction to the customer experience (CX), but this is offset by the need to protect their accounts and finances.
You can do the same with passwordless, as long as your solution is smart enough to handle all scenarios. For starters, it should offer more passwordless options than biometric authentication. However, when customers do use a biometric, there’s no degradation of the CX. Customers win on both fronts and will reward you with more business.
Push it to your MFA users: If you’re using OTPs or push-to-authenticate technologies, which require users to take an extra step to log in, give them a passwordless option that’s easier to use. FIDO-based biometric authentication provides strong MFA with a single look or touch, making it the easiest-to-use and most secure MFA gold standard.
Implement with privilege escalation and account recovery: When customers perform more sensitive tasks such as changing their phone numbers, authorizing a transfer of funds or adding a beneficiary to their account, they’re used to step-up authentication that requires them to log in again or use another factor. This moment is ideal for offering the customer a passwordless option instead. You can do the same during an account recovery or password reset process. Once customers are enrolled, give them the option to use passwordless for all authentication.
Incentivize: Given that the cost of account takeovers in the U.S. was $26 billion in 2020 alone, incentives provide a strong return on investment. Consider providing a discount on your products, a free item or even special privileges for those customers who implement passwordless authentication.
Motivate: Limit functionality for those who use passwords or a lower level of assurance. Meanwhile, continue to educate them that passwordless is easier and more secure.
Offer support: FAQs and online support won’t be enough for some customers. Consider using your customer call center to answer any questions, reassure them their biometrics are safe and walk customers through the setup process. Again, the cost of ATO fraud far outweighs the cost of support for the few who will need it.
Retain their trust: Even after customers switch to passwordless, keep educating. A simple icon or a splash screen reminds them that security is still there. After they authenticate, for example, let them know, “You met the highest level of assurance by using password-free authentication.”
Flip the switch now
Use these proven methods to create your EOL roadmap and execute a smooth transition to passwordless. Last year, the FIDO Alliance released a set of “FIDO Desktop Authenticator UX Guidelines” that can also help you.
Be sure to steer clear of passwordless solutions that ask your customers to set up a password during registration and fall back on passwords during account recovery or password resets. These same solutions do not support multiple devices or omnichannel experiences. They are not truly passwordless, which means they’re not always easy to use and not secure.
We’re in this together, and Transmit Security is doing it right so you can reach full adoption and get rid of passwords for good.
Let Transmit Security show you what it means to be truly passwordless with BindID