Presented by Wells Fargo
In the early days of the Internet, people had only a few passwords to remember: one for their email, one for their banking, and maybe one more. But with the rapid development of ecommerce, self-service sites, and social media, now everyone has to remember and manage dozens of passwords. Human memory is a constraint, and password reset processes are a source of frustration for all consumers and businesses. In addition, a large number of usernames and passwords have been compromised due to well-publicized breaches in the industry, including login credentials for Yahoo!, LinkedIn, Target, Anthem, etc.
Currently, neither consumers nor businesses think of passwords as the ultimate guarantee for keeping information and accounts private and secure. The death of the password may sound dramatic, but it really means that we will start to seek other means of authentication that are more secure and more convenient.
Already, ecommerce and banking sites utilize behind the scenes layered fraud and security services to ensure customer identities. Increasingly, companies are experimenting with new ways to authenticate, such as biometrics. Passwords won’t die overnight, but as alternative methods of authentication emerge, get tested, go to market, and become popular, we will all begin to transition away from passwords.
There are three key factors driving the need for a better authentication method: consumer behavior, fraudsters, and technological advancement.
Unfortunately, many people use “123456” or “password” as their passwords. According to Keeper Security, “123456” makes up nearly 17 percent of the 10 million passwords the company analyzed in 2016. “Password” was also among the top 10 passwords, coming in as the eighth most common. Websites tend to have different password standards, making it hard for people to remember dozens of different passwords. As a result, people either use the same password for many sites, or write their passwords down, thereby opening themselves up for breaches and identity theft. The use of a strong password can slow or thwart a security compromise to help protect your information.
Fraudsters attack less secure websites in order to brute force guess username and password combinations that work, and then they try these on other, more valuable websites, such as an ecommerce or bank site. Hackers also use keylogging malware on PCs to steal passwords. It’s easy to be a victim of malware, especially if people aren’t diligent in making the latest antivirus updates on their systems, as today, malware can even infect a whole network from a simple click on an ad on a legitimate website.
As a result of their successes in collecting valid usernames and passwords, online attackers have evolved marketplaces where they can sell these username password combinations to others who can target higher-value online sites. While many ecommerce providers and financial institutions have developed defenses against such attacks, including behind the scenes checks, there are still many institutions out there that lack these defenses. Everyone using passwords for secure access is vulnerable in some way.
Advances in tech
Instead of asking people what they know (passwords), many industries have been interested in using what people have, such as their smartphone and cell phone service.
The first password alternative has been-out-of-band validation, where a site would send a numeric code to the customer’s phone via voice, SMS, or push notifications. By checking against the customer phone number on record, and/or the app on the smart phone, this system provides an extra level of validation.
It’s important to recognize that no one solution is immune to compromise, but it is very difficult to compromise a system with layered protection that evaluates a user’s identity and their transactions from many perspectives.
In the last decade, and more increasingly in the last four years, biometric authentication alternatives have entered the solution set: first with voice authentication at the interactive voice response (IVR), then with fingerprint using TouchID and more recently, face, eye vein and iris verification.
There are also emerging alternatives that include behavioral biometrics (such has how someone touches their phone screen or uses the mouse on their PC, or their typing speed), and even pulse or palm recognition. The combination of the sensors and cameras on smart phones, along with sophistication and speed of the software to process the information, put some advanced technologies right there in consumers’ hands.
Technology advances have also worked behind the scenes to help fraud teams pick up on anomalies within typical customer usage patterns. Biometrics, together with other data analytics such as the time of day, browser and device details, or type, size, and destination of a transaction, for example, can help detect fraud.
Those are the trends that have gotten us here — to the ‘death’ or evolution of the password. What now? Are passwords really going away?
Where are we going?
As a bank, a question we often get is whether using biometric technology will prove any more resistant to hackers than the old-fashioned password. One thing to remember is that right now passwords — unless people closely guard them, and follow all recommendations such as changing them regularly — are highly susceptible to theft and phishing.
There are ways to collect and store biometric data that make it safer than passwords. For example, the data can be bound to a device, in which case, loss of device nulls the usefulness of the data. Most people notice their phones are lost within minutes. Also, biometric information is kept not in its raw format, but in a templated, hashed, and salted fashion, using encryption methods that make it nearly impossible to reengineer to get back to an original state for attempted malicious use. When biometric data is combined with behavioral patterns and device and phone number ownership to form a user’s profile, it is much harder to find opportunities for compromise.
Assuming people trust that biometrics are secure, and right now people are in fact adopting biometrics, then the big determinant of popularity will be universal applications, convenience, and usability.
Early adopters may put up with a clunky interface or too many steps in the process, but we won’t get to a critical mass until the majority of users find it easier to use than passwords. As biometrics rely on physical attributes, one biometric cannot work for all people, so providing choices of biometrics will be important to get 100 percent adoption. Where one user may be sight-impaired and cannot use camera-based verifications, those users may be able to utilize finger print or behavioral methods.
At Wells Fargo, we believe that the ecosystem for biometrics continues to evolve rapidly at this point in time. To support our commercial and business customers, we have been evaluating, prototyping, technology-testing, and gathering feedback from customers to ensure we’re delivering the best experience. For example, my team is leading efforts to rollout eye-vein pattern, or eyeprint, authentication for mobile commercial customers.
We predict the use of passwords will see a long tail before they ever go away completely. There are a lot of systems in the world that still request username and password, and there are always a number of people who aren’t going to adopt other measures unless they are forced to change. Financial institutions can lead the way with this technology by making the user experience simple and secure.
Secil Watson is the head of Digital Solutions for Business at Wells Fargo, leading a team committed to providing best-in-class digital channel experiences and delivering innovative solutions for commercial customers. Prior to joining Wells Fargo, Secil was head of the financial services vertical for a leading e-learning company. She earned her master’s degree in business administration from the Wharton School at the University of Pennsylvania and her bachelor’s degree in government and economics from Cornell University.
Sponsored posts are content produced by a company that is either paying for the post or has a business relationship with VentureBeat, and they’re always clearly marked. Content produced by our editorial team is never influenced by advertisers or sponsors in any way. For more information, contact firstname.lastname@example.org.