Have you entered a password somewhere today? Do you wonder why you’re still having to do that? Did entering that password give you a feeling of digital safety? Did it make your consumer experience more enjoyable?
Cybersecurity and identity management experts have been proclaiming the benefits of and absolute necessity of Multifactor Authentication (MFA) and risk-adaptive authentication for years now. MFA is the leading concept for implementing strong authentication, which is defined as the combination of two or more of the following: something you know, something you have, or something you are. Indeed, you won’t hear anyone in the field deny that MFA and risk-adaptive authentication are two of the best ways to reduce cybercrime and fraud, particularly account takeover (ATO) fraud. But we enter passwords every day.
Every. Single. Day.
It doesn’t improve security, and it doesn’t make for a pleasant user experience. So why are we still doing it?
- Security and user satisfaction are just not high enough priorities in some organizations yet
That’s it, there’s no need for a second bullet point. Here are some common retorts:
“Security and user satisfaction are important to our org, but we don’t have the budget.” Find the budget. Authentication system and service upgrades are not as expensive as you may think. The offset against potential fraud risks, especially in certain sectors, can be demonstrated to pay for it.
“We haven’t had any security incidents tied to password breaches.” Are you sure? Even if that’s true, it’s only a matter of time before it does happen.
“We’re a small business, the big cybercriminals aren’t targeting us.” The days when big global brands and big banks were exclusively targeted are gone. If your organization has something of value or processes transactions of any kind, then it is likely already on the radar of cybercriminals.
“We have legacy Line of Business (LOB) applications that don’t interoperate with identity and authentication standards.” Admittedly, this is a tougher issue. Most IAM and IDaaS authentication services allow for customization to address compatibility for older applications. It’s probably harder to integrate old apps, but not impossible. Moreover, legacy LOB apps often reside on unsupported operating systems which are more vulnerable to exploits. A project to upgrade authentication may have additional security benefits if legacy apps on out-of-service OSes can be removed.
“Users are used to entering passwords.” That may be true, but it doesn’t mean we like doing it. Many of us know that passwords are weak security. It makes us wonder what else you’re doing wrong. When security conscious users enter passwords into websites or mobile apps, we doubt that those organizations are committed to the security of our information and finances. Repeated entering of passwords leads to reduced trust in the organization asking for passwords. Erosion of trust leads to diminishing customer loyalty, lost business, and shrinking revenue.
Insecurity leads to doubt, doubt leads to mistrust, and mistrust leads to the dark downside of lost business.
Many of us have been waiting for years for the promise of passwordless authentication. IAM vendors typically define passwordless as removing password databases from centralized systems, thereby improving security by reducing the likelihood of password breaches. Mobile phone-based biometrics and FIDO are good examples of passwordless authentication. It’s important to note that although password databases may be omitted in passwordless authentication systems, users may still have to enter passwords or PINs occasionally, but those factors are evaluated locally on the users’ devices. We have, however, fortunately observed that the number of completely passwordless solutions in the market is increasing.
Fortunately, thanks to many excellent authentication solutions and services available in the market, it’s never been easier for organizations that still use traditional passwords with centralized databases to move away from them. For more information on authentication solutions, see KuppingerCole Research.
If we can’t get to fully passwordless, we’ll settle for password-fewer. Password authentication can be augmented by risk analysis. Many sites that still appear to use passwords are actually doing sophisticated examination of many attributes in the background. This is what social media, some big retailers, and other forward-looking organizations are doing. Their users have passwords “on file” but rarely have to use them because of the advanced risk analysis that going on behind the scenes. Examples of contextual information considered includes device intelligence, IP address (history and reputation), browser attributes, geo-location of request, time/day, etc. All these data points can be compared at transaction time to a per-user historical baseline. In cases like this, the password is the fallback. If the risk analysis concludes that the request context is within acceptable parameters, the user doesn’t get prompted to re-enter a password, get an email/SMS OTP, etc. It’s smooth surfing. Only if the risk analysis shows a significant deviation would the user be asked to explicitly demonstrate they are who they say they are.
The unobtrusive nature of risk-adaptive / password-fewer authentication is a win-win for those who deploy it: they reduce their own risks of loss from fraud while providing a better experience for their customers. Happy customers mean repeat business.
Best of all, MFA and risk-adaptive authentication can go hand-in-hand. Risk-adaptive authentication systems can leverage MFA methods for those cases where they do sense something is amiss in the request context and need to re-authenticate or step-up authentication for certain types of transactions. Mobile push notifications, mobile biometrics, and FIDO authenticators improve usability and security concomitantly.
Rather than continuing to wait on the organizations we interact with to update their authentication systems, how do we move forward?
- Ask. Use available contact methods such as emailing support or chat options. At least requests are registered. Honestly this method has not met with much success.
- Ask more formally. Contact CISOs of organizations that use weak authentication and respectfully request that they implement MFA and risk-based authentication to reduce their risk and protect your information and assets better. Consider having an attorney send a letter on your behalf. If the organization in question does not have a CISO, find contacts for their legal counsel, CIO, CTO, or another high-level position that has the power to make positive changes.
- Look for more secure alternatives in the marketplace. If you feel that your info and assets are not being properly protected by the service providers you are currently doing business with, then look for those that do offer the kind of security that you need.
It’s time for consumers to make their concerns and desires for a more secure ecommerce ecosystem known. Join us at EIC in Berlin in May for a vibrant discussion on the latest authentication technologies and how implementing them can protect organizations, consumers, and improve business.