Are the giants of tech finally slaying passwords?
A few handshakes among a small group of Silicon Valley techies are presenting the best chance yet to wipe out passwords in favor of modern identity protection.
Near the end of last week's RSA conference, Google and Microsoft both showed off their biometric technology as a trigger for PayPal transactions without passwords. Both technology giants boasted how this technology would retire passwords for good. It's a common prophecy in technology, one that Google itself made three years ago — and PayPal has held as a goal for some time.
So what's different this time?
Google and Microsoft are brandishing their ID technology days after agreeing to standards for the tools that integrate authentication checks onto browsers, websites and connected devices. The FIDO Alliance and World Wide Web Consortium have agreed to this standard, as have a fintech who's who of e-commerce, mobile apps and digital payments.
PayPal, for example, enjoys a huge share of the U.S. digital payments market—about two thirds of U.S. online shoppers have used PayPal in the past month along to make a payment, and PayPal has more active users than Masterpass and Visa Checkout combined.
If that's enough to force Mastercard and Visa to endorse a "single wallet" as a counter to PayPal's dominance, it's likely enough to influence broader changes in authentication. Google and Microsoft, which will support the new ID standards in Windows 10, also enjoy a substantial market share, furthering that influence.
Programmers and vendors from across fintech have been predicting the end of passwords for years, and it's usually turned out to be wishful thinking. And the technology Microsoft and Google demoed at RSA isn't new.
Google's plan is to use a fingerprint scan to approve PayPal purchases. Microsoft's plan is to use Windows Hello to read facial features to execute payments.
PayPal, Microsoft and Google aren't alone. The authentication standards list includes Apple, which has advanced Touch ID as a staple for mobile payments authentication and is introducing facial recognition as a new form of identity verification for the iOS operating system.
The standards list also includes Alibaba, the dominant Chinese e-commerce company, which is affiliated with Alipay, a payments app that's larger and more widely used than all of the major U.S. wallet apps combined. Tencent's also onboard, which adds the support of its WeChat Pay, another huge Chinese payment app that's expanding globally.
"This has more potential than any other biometric single sign-on announcement I've ever seen," said Avivah Litan, a vice president at Gartner Research. "With the mobile phone being the way most people log in, it is a ubiquitous token if the phone's ID is supported by the operating systems. Then you have a nearly ubiquitous authentication mechanism."
The standard, called WebAuth, dictates how application programming interfaces are built and integrated. That supports FIDO's client-to-authenticator protocol, which in turn allows a device's security technology to transport phishing and malware-resistant authentication over USB, Bluetooth or NFC—connecting the device to secure in-app or contactless payments. So while the promise and technology are old, the way the devices communicate with each other is new.
The mobile environment will lead the way in dumping passwords, said Julie Conroy, a research director at Aite Group, who categorized the move away from passwords as a steady oozing rather than a dramatic shift.
In mobile devices, "technology like biometrics creates both a better user experience as well as greater security," Conroy said. "The computer-based environment will lag, just because consumers are still very comfortable. And worse, we have survey data from last year that shows that most consumers still believe passwords are an effective security mechanism, which we know is not true."
While the influence of the participants is the strongest encouragement of new authentication technology in years, that's also a double-edged sword, according to Litan.
"It gives those companies so much power, almost a monopolistic power," Litan said. "Whoever controls the credentials has tremendous control over the customer experience."
And what probably makes the Google/Microsoft/Apple/Paypal/Ant collaboration the best game in town is the far-off promise of other identity security innovation. Blockchain has emerged as an option to protect user ID in e-commerce because its decentralized structure removes a specific repository of data for crooks to hack, thus robbing the attackers of scale.
But widespread adoption of blockchain in general, and its broad use for identity protection, won't happen anytime soon.
"There's nothing else on the horizon that can solve this issue," Litan said. " 'Bring your own ID' is something that will take place years from now, and we'll also see blockchain ID superseding anything that these oligarchies can do, but that will take years."