Life Without Passwords
Passwords are like braces, not only have they not improved in the last 30 years, but they seem to get worse over time. But in this new world with AI and virtual reality it seems feasible that we could eliminate the need for these archaic passwords. Luckily, the widespread adoption of these new technologies saves time by reducing or even eliminating the need for passwords.
Once a month, I review my finances and balances by logging into all my brokerage, banking and retirement accounts. This is an arduous task, being I've worked for several banks and haven't done a great job of consolidating my accounts. Every financial institution has its own password format rules. Inevitably, a painful 'forgot my password' routine is required because I neglected to document the most recent change. This is why mobile facial recognition biometrics has drastically improved my digital experience and saved me a lot of time.
I'm not alone in my distaste for passwords. It is often the number one contact center complaint and one of the biggest hurdles in online banking adoption. Even information security professionals consider passwords risky because fraudsters often leverage fishing techniques to capture them. In fact, password vulnerabilities account for 80% of platform breaches. Hackers know that we are lazy and will just add a "1" and later an "!" to your original password to meet the additional numerical and special character requirements.
Digital security is a constant threat and a regular topic of discussion at most bank board meetings. As a result, financial institutions tend to take a more conservative approach to authentication.
Fortunately, the new passwordless applications are using innovative technics to provide a secure authentication experience without passwords. These applications typically rely on stronger and more convenient authentication factors, such as biometrics or hardware tokens, to verify a user's identity. Here's a general overview of how passwordless applications work:
During the initial setup process, users register their accounts with the passwordless application. They typically provide an email address or phone number, which serves as their unique identifier. Once the user's account is created, the passwordless application verifies their identity using various methods. Some common techniques include sending a verification link to the user's email or a one-time passcode (OTP) via SMS.
After successful identity verification, the passwordless application leverages alternative authentication factors to grant access. These factors can include:
- Biometrics – Utilization of fingerprint, face recognition or other biometric data stored on devices to authenticate.
- Hardware tokens – Use of physical devices, such as security keys or smart cards, which contain cryptographic keys and perform secure authentication.
- Mobile push notifications – Receiving a notification on their registered mobile device, asking to confirm or authorize the login attempt.
- Time-Based One-time Passwords (TOTP) – Employing authenticator apps like Google Authenticator or Microsoft Authenticator, which generate time-limited codes that can be used for authentication.
- Behavioral biometrics - Behavioral biometrics analyze user behavior patterns such as typing speed, mouse movements or touchscreen gestures to authenticate users.
Passwordless applications rely on secure communication protocols, such as HTTPS, to ensure the privacy and integrity of data transmitted between a user's device and the application's servers. Once the user is authenticated, the passwordless application establishes a session, allowing the user to access the application's services without needing to enter a password for each instance. The session is typically maintained using cookies or tokens.
By leveraging passwordless authentication methods, applications aim to provide stronger security while improving the digital experience by eliminating the need to remember complex passwords. However, it's crucial to implement robust security practices and consider potential vulnerabilities specific to the chosen authentication factors to ensure the overall security of the application.