How strong can a password really be?
Using a piece of information to restrict and afford digital access inherently lends itself to weakness. A system protected by special knowledge has security deficits that multiply naturally. Such a defense fails in the face of the barest challenges: passwords can be shared, forgotten, or of course, stolen. The security of passwords began to disintegrate at the very moment of their inception; today’s profound challenges to digital security demand a safeguard that cannot be exchanged or misappropriated. The age of the password has passed. The time for biometric-based security has come.
Passwords can do serious damage. They defeat the very definition of a good UX, they’re IT nightmares for businesses, and they grow less secure with each passing year.
I vividly remember when, back in 2015, computer intelligence consultant turned whistleblower Edward Snowden told talk show host John Oliver that a computer could crack an eight-character password in one second. This alarming fact is always on my mind every time I have to create a new account or am prompted to update a password.
With so many accounts to keep track of, it’s no wonder that a 2020 study by ForgeRock found that 43% of cyber attacks were categorized as “unauthorized access” with compromised passwords. Furthermore, over 50% of IT professionals surveyed by Yubico felt that eliminating passwords would improve both user experience and security.
Every business is rightfully obsessed with the customer experience, but this usually comes at the expense of security. Business owners suffer massive losses from data breaches that can cost a responsible company, on average, nearly $4 million and require an average of 300 days to contain. Lost passwords are also detrimental to business owners, as forgetting a password causes one in three online shoppers to abandon their cart, resulting in a multi-million dollar loss for most e-commerce websites.
The problems don’t end there. According to a recent study, 61% of consumers say that “authentication frustration” has caused them to quit a transaction they would have otherwise completed.
Perhaps most alarming of all, 85% say a difficult authentication process reflects negatively on the company and brand. Businesses go to great lengths to protect their brand’s image, and authentication should be part of that effort.
Instead of looking beyond the password entirely, businesses add layers of complexity to their security processes that fail to make them more secure. Even worse, they also disrupt the user experience.
Knowledge-based authentication can take time to set up and become quite a frustrating memory exercise to answer, further creating friction in the user interface. More importantly, with the increase in social media as well as large consumer data leaks, fraudsters often have their hands on this information, rendering it effectively useless.
Over the years, businesses have increasingly adopted another option: two-factor authentication (2FA). Two-factor authentication is a cumbersome process that forces users to fumble across devices to copy codes from one place to the next. It’s also highly susceptible to such fraud as Man-in-the-middle (MitM) attacks in which fraudsters can intercept your text messages for as little as $16.
While these extra steps are often better than nothing, they often present poor user experience and have gaps that sophisticated fraudsters and bad actors can exploit. These technologies rely only on something the person knows rather than on who the person is. Instead, we should be looking at the obvious solution staring at us from the mirror – our faces.
It’s not just lip service: you are impossible unique. There has never and will never be a person whose face is exactly like yours. That fact provides so many benefits to businesses that are still working with clunky passwords and their inherent flaws.
Compared to using passwords, using enhanced 2FA with biometric authentication (like a quick selfie) is more convenient and secure. Instead of constantly resetting passwords, searching through sticky notes, or reusing passwords, the customer just needs to snap a picture of themselves. This selfie can be matched against a selfie and/or government-issued ID provided during account enrollment for a virtually perfect re-authentication, all of which happens instantaneously.
Businesses have lost billions in revenue due to friendly fraud and other forms of online payments fraud, and that number is increasing. When a customer claims they didn’t make a purchase, you have a timestamped, verified picture of their face begging the contrary. This technology also could have wide-reaching positive ramifications for wire transfers, account settings updates, logging into an account or anywhere else you need to be sure of the actual person on the other side. Subscription-based businesses also lose significant revenue to shared accounts; with biometric authentication, this becomes virtually impossible.
Passwords are on their way out. Biometric technology is now so user friendly and secure that it is nearly ubiquitous. I already use my face to unlock my phone, and it replaces passwords on many apps as well. I imagine a world where we’re checking into flights or trading equities with a mere glance at our phone or whatever mobile device is in front of us.
Everyone hates passwords, but we’re in love with our devices — multi-factor authentication with biometric measures can block 99.9% of all digital attacks. It’s time to harness that power to push security beyond the password-protected boundaries of a bygone era.