Until recently, most consumer-facing organizations have relied on username and passwords to secure accounts. However, widespread data breaches mean that password data has been leaked and can be bought by criminals on the dark web. Plus, consumers don’t like passwords as a security measure.
Our recent survey found that only 40 percent of people are prepared to use username and passwords for security, while password management causes people real problems.
- 26 percent reuse five or fewer passwords across all their accounts
- 18 percent write their passwords down – for example in a notebook
- 24 percent have had to abandon online purchases because they forgot their password
- 15 percent have been unable to open a new account with an existing supplier because they forgot their password
The challenge is what do we replace passwords with that provides the necessary level of assurance and is acceptable to users?
In general, organizations need to stop looking for ‘magic bullets’; there is no single authentication factor that will work for all customers in all scenarios.
Generally, what is needed is a layered response where more than one factor is invoked and there is never reliance on a single security measure. Indeed, regulation such as Payment Services Directive 2 (PSD2) enshrines the need for multi-factor authentication for payment providers such as banks and credit card issuers. To meet the need to supplement authentication by password, there has been a mass adoption of one-time passcodes (OTP), often sent by SMS message.
Consumers like this as an authentication method but, unfortunately, there are inherent insecurities in using it. The SMS messaging system was never intended to be used in this way and texts can be intercepted or spoofed. While username/password plus OTP via SMS does provide a level of security, it is certainly not infallible and other methods must be considered.
So how do organizations move consumers away from reliance on these methods?
Fortunately, adoption of biometrics for authentication is gaining pace and people are willing to use them, as our survey revealed:
- 71 percent of people are happy to give a biometric to their bank, with fingerprints being the most popular form of biometric authentication
- 68 percent will provide their bank with a fingerprint
- 37 percent with an eye scan and 36 percent with a facial scan
However people, it seems, are less willing to give biometrics to other types of organizations – including the government!
Individuals were more than twice as likely to give a biometric to their bank than to a government agency, where only 29 percent would. Just 31 percent said they will give a biometric to their mobile phone operator – raising the question of whether they view using a fingerprint or facial scan to unlock their phone as ‘providing a biometric’. And looking at biometrics for online leisure purposes, only 5 percent would give a biometric to an online gaming company and only 8 percent would use biometrics with a social media provider.
With this in mind, providers will need to invest in how they orchestrate authentication so that they can offer customers what they are currently happy to use and then gradually move them to more secure methods with.
The Advent of ‘Adaptive Authentication’
Over the next year we believe the concept of ‘adaptive authentication’ will take hold. This means making sure the most appropriate method(s) of authentication are used at every interaction, specific to the factors present including; customer preference and ability, level of risk/risk appetite, cost of authentication, and regulatory requirement.
Until recently, identity verification and authentication systems have tended to be point solutions. You might use one system for managing OTPs by SMS and another for fingerprint recognition and a third for voice biometrics. However, the same solutions are rarely used across the entire customer lifecycle, so the biometric checks used to match a person to the photo in their government-issued documents cannot be then enrolled for use in future authentications.
Future success will depend on how easily and well these disparate systems can be bought together. Those organizations that take a platform approach early will have an advantage. They will be able to reap the benefits of adaptive authentication and take a sophisticated, layered approach to security that works across the customer lifecycle earlier.
Data Security Matters
In using biometrics, banks are handling large volumes of personally identifiable information of the most sensitive kind. If criminals manage to use your biometric data, unlike a username and password you cannot simply replace them. Security isn’t just about keeping data safe. If security isn’t right, there is a real risk to an organization’s brand; breaches in security can lead to loss of trust and hence loss of business.
According to the 2018 Data Risk in the Third Party Ecosystem study published by Ponemon, 59 percent of data breaches were caused within the supply chain – a third-party supplier with access to a company’s systems or data formed the point of breach.
In a B2B environment, those organizations that can demonstrate they have a good cybersecurity posture have a competitive advantage, particularly if they can objectively show their clients that they will not create a breach risk for them. Likewise, an ability to objectively assess and communicate cybersecurity posture to consumers is reassuring and will strengthen a brand.
It is key that the assessment of an organization’s cyber security posture is empirical, i.e., based on actual data rather than opinion. Solutions such as the FICO Cyber Risk Score have been built with this in mind.
For more information on how FICO helps organizations with customer identity management visit: