Consumers will drive a 'choose your own authentication' security model
Breaches and password fatigue are two major pieces of evidence that indicate that our password-based security system is failing.
There are nearly daily headlines about security breaches at some of the world’s top firms. Long the norm for years, simple username and password protocols for authenticating users are no longer enough for mitigating financial and reputational damage due to fraud.
And of course, remembering our passwords is a continual challenge. And to make it more challenging, we discourage customers from writing down their password or reusing a password across multiple sites. And if they forget a passcode, their options are additional pain points such as calling a call center or using a one-time code or other authentication process. This is far from the frictionless, elegant customer experience we know consumers desire.
Consumers who either are tiring of the password overload, or those who understand that passwords are antiquated security, are driving the fair amount of biometric adoption. Certainly biometric fingerprints create an easy to use, “one touch” authentication process when paired with the customers typical trusted device. Together, these are two factors in the multifactor authentication framework, so they are also a good security best practice. And they certainly solve much of the customer frustration. Rather than relying on a user’s memory, this authentication relies on confirming the person is who they claim to be.
Yet what is the fallback when a customer fails out of this biometric flow, or in other cases, when they aren’t using their device with the built in biometric at that time? The fallback is most often a password, which is problematic for two reasons. One, it may have been a long time since the customer has used the password if they are now a frequent biometric authentication user, resulting in their forgetting the password. And second, if the legitimate user had failed their biometric and is then asked to enter a password, that is definitely not a best practice. The authentication in that example is actually stepping down to a weaker authenticator, the password, from a stronger authenticator, the biometric.
In reality, the best practice for both the organization and the consumer is to have multiple biometric authentication choices. Customers are clearly frustrated with the status quo and will continue to demand the acceptance of their preferred authenticator, whether it be a fingerprint, voice, iris, or even a selfie. Authenticators must create a frictionless experience for the customer, and some companies that understand where the future is headed are creating an organized response to it by adding many different choices for authentication.
Progress in this area, however, will not be something that will happen overnight. Looking at the industry as a whole, to completely eliminate passwords may take years. However, the adoption by customers when a biometric is offered is quite fast.
For example, once a customer has used a biometric fingerprint to identify themselves, they never want to go back to using a password. The fingerprint method of authentication is both quick and not human memory dependent.
Despite this, it is expected there will be some skeptical customers who fear the biometric itself may someday be captured and compromised. However, this risk is actually quite small if the correct architecture is widely adopted. In such an architecture, the biometric identifier never leaves the device and therefore is never stored in a place that could be compromised.
Some online retailers, such as Amazon, have created a simplified customer experience by implementing the use of biometrics in their shopping functionality. Such ease of use created by this development has increased pressure by customers on retailers, financial institutions and other transaction-centric organizations to launch similar services.
As more manufacturers build the authenticators into the devices themselves or the OS, it is very easy to interact with that authenticator. Then it becomes a simpler “consumer authenticator of choice”-based approach, and a more secure environment.
Samsung now offers multiple biometric choices on its S8 model, such as fingerprint and iris scanner, which can be used for Samsung Pay. This is an example of the future of a multimodal biometric framework. There are more options for customers, and a way to choose another biometric if for some reason the first biometric isn’t working. That identifier, when used on a trusted device that has been assessed for risk and anomalies, satisfies a critical piece of multifactor authentication.
However, it is important to point out that the biometric login by itself only proves that the enrolled user is attempting a transaction. Unfortunately, this login gives no insight into the relative security of device itself—in other words, the environment in which the biometric is operating. The device housing the biometric data may be infected with unknown threats, such as application hooking, malware and crimeware designed to bypass the biometric or compromise the information after the biometric authentication is performed.
To truly strengthen security, exceed MFA requirements and ensure a smooth user experience, organizations need to deploy device authentication in addition to such biometrics, fulfilling the “something you have” condition of MFA. When the device itself is authenticated, the environment surrounding the transaction is secured. It is only when one can fully trust the device and confirm the user’s identity that the ultimate device security weapon against fraud—a trusted security token—can be created.
Although corporations may fully support biometrics and the death of the password, budgets are potentially a consideration for corporations that want to build a multimodal biometric-based framework.
However, the benefits for the customer, including security and convenience, as well as for the organization—security, customer delight, and a reduced amount of customer support—far outweigh the cost of the integration. Simpler yet stronger authentication is a good thing and will usher in an era when we won’t have to remember a hundred different passwords. This will be a welcome change for all involved.