Another year, another World Password Day comes around. You can almost guarantee the headlines – the number of passwords individuals have, and, how simple and easy to guess the most common passwords are. According to a study, 123456 was still the most popular.
The narrative hasn’t changed in years. It’s time to move towards the next generation of authentication. And with Thales’ Digital Trust Index finding password resets to be a top frustration for 64% of the public, there is certainly widespread appeal for an alternative. On this basis, passwordless authentication methods offer exciting potential from both security and customer experience perspectives – it’s a win-win.
So, what is the rationale to move on from passwords, and what forms of passwordless authentication should we have on our radar?
Passwords are out, passkeys are in
Traditional passwords create significant problems from a cybersecurity perspective as they put pressure on the user and rely predominantly on human memory. Thales’ 2024 Data Threat Report once again revealed that human error was a leading cause of data breaches, highlighting the risk for businesses.
Developed by the FIDO alliance, passkeys are a secure alternative to verifying and granting user access. Unlike passwords, which rely on something you know and need to remember – such as a set of characters or a phrase – passkeys consist of unique digital credentials that are securely stored and synced across your devices in an encrypted format. This credential or ‘key’ can be accessed via an authenticator on your device, which usually requires a fingerprint or facial ID to activate.
Passkeys therefore involve something you ‘have’ (a digital key or credential), and usually, something you ‘are’ (like a face ID or fingerprint) – a two-pronged approach that strengthens the overall security of the authentication process. The banking sector is a prime example of an industry turning towards FIDO passkeys to ensure security, without compromising on UX. In case you missed it, our previous blog series looked specifically at the evolution (and future) of authentication in the banking sector).
Game changing Digital IDs
We already use biometric-enabled authentication methods on a day-to-day basis, such as using Face ID to unlock our mobile phones. And, at an industry level, biometric authentication has been rolled out across banks, travel, e-commerce, government services, and critical infrastructure – so mass adoption is well underway.
Biometric-enabled digital wallets can be pre-loaded with all credentials and identity attributes, thereby allowing the user to prove that they are who they say they are in any, and all, authentication scenarios.
Users can simply activate their digital ID by authenticating themselves via a form of biometrics on their smart phone – a quick scan of their face or fingerprint will then launch the QR code for the digital wallet. This will then be scanned by the service provider, or in digital password scenarios, could be synced to online accounts to verify the user.
Biometric authentication and digital IDs allow for a more secure and phishing-resistant alternative to passwords. This security feature, alongside robust levels of encryption, means that no one can claim to be you in order to access your accounts, and prevents the possibility of a counterfeit version.
The takeaways
We are still too dependent on passwords; they are a massively flawed and outdated form of authentication that should be resigned to the history books.
Although transitioning to passwordless authentication methods may be considered a massive overhaul of legacy architecture, as well as a departure culture-wise for users, it is certainly an achievable goal for every organisation.
Organisations must consider what elements of their infrastructure require the strongest form of authentication and protection, and prioritise these as starting points to roll out passwordless authentication.
For further reading, visit:
