As part of an organization that's waged a four-year campaign against passwords, Brett McDowell envisions wearable technology as the nail in the coffin of antiquated security.
With modern smartphone and smartwatch technology, "users are able to touch something, such a fingerprint sensor; look at something using a device's camera; or just wear something such as a device that measures your unique heart rate to be authenticated to an online service," said McDowell, executive director of the Fast Identity Online Alliance (FIDO), a coalition of payment, financial services and e-commerce companies.
Dissatisfaction with passwords goes back years, as do efforts to replace them—IBM developers discussed replacing passwords as early as 2008, general biometrics as an identifier have existed much longer; and RBC has tested technology that uses a person's biorhythms. Mobile selfies are also emerging as an option at a number of payment companies.
"One of the biggest obstacles may actually be the username/password combinations everyone has used for decades," said Shirley Inscoe, a senior analyst at Aite Group. "At this point, these credentials don’t represent anything except a false sense of security, but consumers often do not realize that. Of course, many consumers continue to use the same credentials at all online websites they access, only change credentials when required to, and usually don’t choose strong passwords which exacerbates the problems."
Some leading edge companies are starting to replace older credentials with biometrics or other new technologies, ironically creating a perception of lessened security, Inscoe said. "In reality, the opposite is true, and consumers are much better protected while having an improved experience with websites utilizing new technologies to replace username and password combinations."
McDowell is hopeful that this time is different—that people, retailers and other companies will accelerate password replacement, partly because of the same mobile technology that's bolstering security.
After an experimental start in which Google Glass provided mixed results, deployments are accelerating, playing a major role in Visa's plans at the upcoming Olympics in Brazil and contributing to the diverse range of payments options for London's transit system. Other wearable payment devices, such as Disney's MagicBand, are maturing as a mainstream option for consumers.
The popularity of these new payment options is threatened by static authentication—pressuring the initiatives to move toward identity risk strategies favored by FIDO, according to McDowell.
"Users demand a consistent experience across all of these devices," McDowell said, adding transaction authentication technology, which increasingly involves strong user authentication beyond traditional credentials, has to evolve to keep up with these trends. "It's essential that authentication is fast and easy for users or they won't complete the transaction, especially if the experience is optimized for a PC but is being attempted from a mobile phone or a wearable."
In its fight against static passwords, FIDO has recently entered deal with EMVCo to determine how FIDO's mission can meld with chip cards; and passed a milestone as it certified more than 200 alternatives to passwords. Most recently, Microsoft in July announced it would use FIDO's authentication standards in its update to Windows Hello, a multifactor authentication platform.
"Microsoft is agreeing that the only way to achieve ubiquitous adoption of strong authentication is to build and promote an open industry standard," McDowell said.
The role FIDO Alliance plays is to enable access to multiple websites using similar methodologies which allows consumers to have a faster, simpler, more rewarding customer experience, Inscoe said. "Partnering to improve security will be a win-win, although the missing component currently seems to be consumer education," she said.