Home Sms code Consumers are done with passwords, ready for more innovative authentication

Consumers are done with passwords, ready for more innovative authentication


CISOs looking to strengthen their customer authentication procedures to thwart cyberattacks need to walk a fine line. You want the method to provide enhanced security without being too complicated, confusing, or expensive for end users. You should also be mindful of privacy concerns, especially when it comes to approaches like challenge questions or facial recognition.

Selecting the most appropriate authentication method for your customers is a moving target, as consumer attitudes are constantly changing. The pandemic has had an effect: Consumers barred from shopping in-store due to lockdowns have turned to online retailing and have never looked back. Experts say that as consumers get used to digital shopping for things like groceries, they are also becoming more comfortable with other forms of digital commerce, such as mobile banking. or digital wallets.

However, demographic differences apply. For example, consumers of the “digital native” generation expect to be able to move seamlessly between all their devices and across multiple platforms such as shopping sites, payment methods and their bank, according to one. study conducted by PYMNTS.com and Nok Nok Labs which focused on the banking sector. These super connected customers are more open to innovative security measures such as passwordless authentication.

One thing all demographics recognize: Passwords are the most annoying authentication method and offer the least protection. Consumers want and expect organizations to move from password authentication to more modern alternatives such as biometrics (fingerprints or facial recognition), multi-factor authentication (MFA) or even invisible methods. for the user.

Safety, a top priority for consumers

According to Experian Global Identity & Fraud Report 2021, 55% of those surveyed said security is their top priority when doing an online transaction. When asked by Experian to rank authentication methods according to their level of security, 74% cited biometrics as the most secure, followed by PINs sent to mobile devices (72%), and behavioral analysis (66 %), a technique that passively uses observed signals and does not require any action on the part of the consumer.

Experian summed up their research this way: “Notably, passwords have not gained a place in the top three methods of authenticating customer identities, although almost all accounts and digital devices include some sort. password protection. This indicates a new shift in consumer thinking that is moving away from the realm of the password. “

The report adds, “One of our most important findings has been the growing consumer comfort and preference for physical and behavioral, or invisible, security methods. The data also shows that consumers are more willing “for companies to manage their security and privacy without obvious implication.”

Historically, organizations have used authentication methods that relied on customer actions: remembering passwords, answering identification questions, back and forth associated with entering a username / password , receive a one-time PIN code (possibly on another device if you are using a computer to complete the transaction and the password goes to your phone), then entering it in a field.

James Brodhurst, Head of Identity and Fraud Practice for Experian in Europe, Africa and the Middle East, adds: “Businesses need more than ever to balance fraud prevention and a smooth customer experience. Fortunately, many of the necessary checks can be performed invisibly and in real time during client onboarding. For example, performing consistency checks on their device or performing a customer behavioral biometric assessment.

PYMNTS researchers came to a similar conclusion. Their survey of more than 2,000 adult consumers revealed a significant disconnect between the traditional methods customers use to access their bank accounts and their preferred methods.

Three-quarters of consumers still use a username / password, but only 42% prefer this method. In terms of alternatives, 18% said they would prefer to use PIN-based authentication, 14% said they would prefer fingerprint-only authentication, 11% wanted facial scans only, and 13% wanted stated that they would prefer MFA.

The result: “With changing consumer preferences, companies have the opportunity to take a new approach to security, layering visible and invisible methods together. By leveraging data and insights gathered throughout the customer journey, companies can facilitate accurate recognition and authentication with every discreet decision, ”said the Experian researchers.

Evaluated authentication options

Passwords : The heritage approach

“Passwords have been a constant headache for security professionals for years,” 451 Research said in its recent Market intelligence report on the AMF. “The inherent security holes in passwords are manifested in the growing wave of data breaches related to credential theft. “

IDC puts it a bit more bluntly in its MarketScape report, Global Advanced Authentication for Identity Security 2021: “Any member of the security team who is unaware that compromised credentials are the primary cause of network security breaches and / or data loss is living under a virtual rock. Passwords are… very bad.

The result: Passwords are the legacy and legacy solution, and customers are ready for better options.

One-time SMS password: another legacy approach

Often associated with a username / password, this commonly used method involves sending an SMS message to the user’s mobile phone, containing a one-time password. However, SMS is not a particularly secure mode of transport and NIST now advises against using SMS as a second factor. Gartner Market Guide for User Authentication adds that the old out-of-band methods using SMS are “relatively weak”.

Biometrics: a technology whose time has come

With fingerprint-based authentication, a feature on smartphones for many years, and facial recognition, a standard feature on new iPhones, iPads and Microsoft Surfaces, consumers are getting used to biometrics as an authentication method. .

Biometrics offers many advantages in replacing passwords. They are fast, reliable and difficult to tamper with. They don’t require the consumer to do or remember anything.

The only downside is the privacy concerns. It’s one thing if a consumer uses their face to unlock their own phone, but it’s quite another to provide biometric data to third parties no matter how trustworthy they are and no matter how much they insist on them. biometric data are protected and encrypted.

For example, in a recent KPMG survey, only 44% of consumers found it acceptable to use facial recognition to access their financial information. Thus, companies implementing biometrics must make a concerted effort to be transparent about how they handle biometric data.

Multi-factor authentication: two factors are better than one

Gartner predicts that by 2023, 60% of large global companies will deploy MFA, a significant increase from just 10% today. Gartner also distinguishes between legacy MFA, in which one form of identification is the username / password, followed by a second method, either a challenge question or a PIN sent to the phone or to the phone. e-mail from a consumer, and the more advanced MFA, which completely eliminates the password.

An increasingly popular authentication method is push notification. With push technology, users receive a notification on their mobile device through a dedicated authenticator app. Clients open the app, inspect the details of the authentication attempt, and must confirm the verification request. Push is easy to use, efficient and inexpensive. The only real downside seems to be that some users might absently press the approve button without looking at the notification, so they might end up approving a bogus transaction. Gartner says it has seen a growing willingness on the part of customers to adopt methods such as mobile push in the banking industry.

Another problem with MFA is requiring the end user not to enter a username / password, but an email address. A real link or PIN is then sent to the email address.

Organizations have many ways to combine and combine various multi-factor methods to find the right balance between security and a smooth user experience.

Invisible authentication: the wave of the future

The most promising authentication method does not require any action from the end user, which is called invisible authentication. There are several variations on this theme:

  • Behavioral biometric authentication. It analyzes keystrokes, mouse dynamics, or even the way a person holds their phone.
  • Device recognition. The authenticating party can recognize that the device itself has obtained authentication.
  • Contextual / behavioral. This may include geolocation, the IT environment and the nature of the transaction attempted.

Another concept associated with passwordless, low friction authentication is continuous authentication based on customer behavior. For example, if the authentication authority has enough contextual information during the connection (IP address, geolocation, history), it can let the user enter. However, the authentication system continues to monitor customer activity and whether anything raises suspicion or attempts a task. which requires a higher level of authentication, the system can then send a push notification asking the client to verify a transaction.

As David Britton, vice president of industrial solutions at Experian, says, “Companies have the ability to embrace unseen solutions more freely, which can reduce friction and increase customer satisfaction. “

Of course, each authentication method has its advantages and disadvantages. With invisible authentication, the customer may rightly wonder if the security protocols are there, as they are not readily apparent. This concern can probably be overcome through education and a frictionless user experience.

Copyright © 2021 IDG Communications, Inc.

Source link


Please enter your comment!
Please enter your name here