MENUMENU

Let’s talk about going passwordless and why it’s possible in just three steps

tl;dr: the digital banks we're working with all want to go passwordless | the CX is paramount, but must be balanced with security | developments in authentication still have limitations and vulnerabilities | it actually only takes three simple steps to ditch the passwords for good
Let’s talk about going passwordless and why it’s possible in just three steps

Customers want their digital banks to be legends. Not huge legends. Even mini-legends are fine.

I have been working closely with multiple challenger, digital and neo banks over the last nine months, and it’s becoming apparent that there is a single common goal that they are all striving to, and that customers are pining for – going passwordless. But banks aren’t aware that it’s actually really simple to ditch the passwords and become something epic. Not saving-the-world-epic, but making small changes to make the experience better and easier for their customers.

When I say ‘password-less’, I mean it

  • Synonymously with a passcode
  • A fingerprint scan
  • A facial authentication request
  • Or any other user-led authentication step

Essentially, a majority-removal of the active authentication process in favour of moving to a ‘trusted state’ with authentication only as and when required.

Not quite as catchy as ‘going password-less’ however, so here we are.

Keep it simple

It’s all about making this security as simple and seamless as possible, and only enforcing it when required.

This is giving digital banks a clear differentiation in their customer experience, which enables them to get them ahead of their competitors.

What is absolutely critical to this is the ability to still maintain a high level of security despite removing or reducing the frequency of this step.

Evolution of the password

Traditional, rules-based security means using a username and password. If these are entered correctly, the end user is authenticated.

This step has developed and become more secure in the last fifteen years or so, i.e. the move to a secondary passcode or randomised part thereof, to a fingerprint, and for a growing number, a facial authentication.

These are great advancements in authentication but still leave a lot to be desired. Some of the limitations include:

  • Authentication tends to focus on a single smartphone or device rather than supporting the omni-digital customer.
  • If the authentication fails, the user must re-enrol or re-enter… cue frustration.
  • Password requirements are so convoluted that the user opts for the convenience of a simple password – or variation of – which introduces security vulnerabilities.
  • Results are binary yes/no, with no regard to the simplicity or complexity of the transaction.
  • Using a different channel such as web or call centre access has an entirely different authentication process, which reflects poorly for brand equity or user convenience…

…to name just a few.

Further hurdles

Once the end user successfully navigates whatever authentication step confronts them, the majority of banking services are now accessible.

We hope that the bank is confident the end user really is who they say they are at this point, as the user now has the ability to move money, change personal details, set up new payees and more – this is what we call, scary.

Yet the bank’s confidence level might not be universal across all devices; the handset range is broad and banks are still relying on authentication methodologies which have very obvious security holes in them:

  • The ease with which a username and/or password/passcode can be guessed, phished, stolen or shared.
  • The fact that anyone can be registered with their fingerprint on your device.
  • Although a device might be authenticated, there are no guarantees to who is using said device.

So the authentication steps in place today have significant problems which span security, user experience, and their ability to offer a secure and consistent omnichannel experience across a broad handset range.

A new hope

No surprise then that digital banks are looking for new ways of doing things, in favour of a more streamlined, secure process.

But if the current processes don’t work, how can they reduce the steps even further without compromising security against breaches and unauthorised access?

Well, strap in because luckily for you during the next three instalments of this blog, I’ll tell you exactly what is required to go password-less!

LinkedIn
Twitter
Facebook
AimBrain - Simply Smarter Authentication