Passwords are widely distrusted for verifying identity and have been blamed for more than 80% of data breaches, but with biometrics and other approaches not yet ready for broad adoption, many innovators are rushing in to fill the gap.
“We’re in a weird limbo, where everyone agrees passwords are no longer secure, and while there’s a lot of talk about biometrics and other inventions, there’s no single solution available that’s been universally accepted, so we’re seeing a lot of experimentation,” said Randy Vanderhoof, executive director of the Secure Technology Alliance, a nonprofit cross-industry security organization.
One example is WWPass, a New Hampshire-based company whose core product is PassKey Lite, a QR code-based app that works in conjunction with a smartphone to support a “passwordless login” for websites to replace the traditional username-and-password approach to authenticate individuals' identity.
PassKey Lite uses encryption in combination with a user’s smartphone to authenticate a person in a format adaptable for payments providers looking to add higher-level security for sensitive data and credentials, said Perry Chaffee, vice president of strategy for WWPass.
Initially developed in 2015, PassKey Lite's latest iteration has been used by organizations in the defense and insurance industries, and it's getting interest from other sectors including financial services and content providers, according to Chaffee.
Where PassKey Lite differentiates itself is enrollment and login. Rather than relying on existing credentials such as passwords or account numbers, PassKey Lite uses a token to associate the user and the device before requesting any other security factors, said Chaffee.
“PassKey Lite flips the process around, so instead of starting with usernames, passwords or biometrics, the phone functions as an identity token in combination with the app to confirm the user’s identity and biometrics, and PINs may be layered on as additional verification factors to step up security if needed,” Chaffee said.
This sequence provides deeper protection for vital biometric data, versus some emerging biometric security methods that begin with a face-scan or iris scan, according to Chaffee.
“Everyone is excited about biometrics as a breakthrough solution for securing users’ identities, but biometrics introduce many long-term vulnerabilities, and our theory is that biometrics are best deployed as the last stage of identity verification, not the first,” Chaffee said.
To sign in via PassKey Lite, a participating website or service displays a QR code the app scans to authenticate the user, who is uniquely associated with that device. If additional reassurance is needed, the user could be asked to supply various other factors, Chaffee said.
Unlike password management apps, which are controlled by the end user, PassKey Lite requires each website or service to integrate with its product, Chaffee acknowledges. But a growing number of companies may be willing to go that distance to add more security for individuals accessing valuable data, he said.
“We’re getting a lot of interest from companies in Europe, because of the high focus on security and privacy there, and we expect to see use cases for consumers coming soon,” Chaffee said, noting that PassKey Lite could replace passwords for accessing payment credentials in a variety of cases including protecting consumer accounts, high-value data and content.
To spread awareness of PassKey Lite, WWPass this month released a free password manager app called PassHub that leverages PassKey Lite, which the company said provides a higher level of security compared to most password managers with its device-token approach.
“Our approach may not work for all organizations, but we’re optimistic about our timing, because the need for alternatives is high, and we’re a long way from seeing the rollout of a broadly used secure next-generation solution,” Chaffee said.
The payments industry can expect a lot more experimentation around identify verification in the next few years as passwords become a bigger risk for organizations, Vanderhoof said.
“We’ll see a lot of solutions tested and piloted in the next several years, and while companies explore their options, the other big question is just how much consumers are willing to do—or pay—for more secure transactions,” he said.