Psssst! Heard the one about the archaic P@55w0rd?

tl;dr: why are we using authentication from a bygone era, today? | soft tokens have soft security, and people are easy to break | let's break the madness cycle with face, voice, behaviour, choice or our own death warrant | biometric identity as-a-service is now a thing.
Psssst! Heard the one about the archaic P@55w0rd?

Oh, hey, CX team, yeah…the 90s called and it want its authentication methods back.

I often kick off a meeting by referencing the secret file/app/scrap of paper most of us have to remember all the passwords we need, which – without fail – leads to a few knowing smiles. After all, the average person is now juggling tens – perhaps hundreds – of passwords and, as we embrace IoT and a connected world, this is set to rise dramatically. In fact, it’s been estimated that there could be over 300bn passwords in use by 2020. Adding in the requirement of forced mandatory changes, and that’s a whole lotta passwords to control.

Technology is helping, but at the same time, diluting the security of the password

You know the little tick box that says “remember my password”? Or when you can’t remember it (or didn’t write it down) so you hit the reset password button that sends you an email with a link, and you have to go through the whole rigmarole of coming up with a new password that includes uppercase, lower case, numbers, length and special characters? Then take that weird test where you have to click on grainy images that contain street signs?

Talk about added friction!

And that’s not even taking into consideration the fact that we’re so used to ticking the ‘remember me’ checkbox,  that if your device is stolen or hacked, you could be gifting your thief either instant entry into your apps, accounts or systems, or delivering a one-time-passcode right into the their hands.

“As a consumer, reliance on ‘remember me’ cookies means that if your device is stolen or hacked, you could be gifting your thief either instant entry into your apps or accounts, or delivering a one-time-passcode right into the their hands”

It’s now that we see just how much we’re starting to rely on two-factor authentication (2FA). Plus this additional friction – the format, the enforced changes, the re-enrolling and juggling of programmes to get new codes – means that we’re really starting to dislike passwords. That leaves us with the lose:lose choice between a) more trauma and friction or b) really easy passwords, that fraudsters can easily crack using very simple technology.

In today’s banking world, are these really the only options we have? We are living through a Fintech revolution where a trade can settle or a payment be received in less than a second, where deep learning algorithms are able to self-learn, and yet we think an 8 digit password with a capital letter is  the safe way of doing this? Honestly?  In a blog I posted last year, I predicted the death of passwords so let’s look at how far we’ve moved on.

Consumer banking and passwords – what’s the state of play?

Usually we have to log on to a banking website or digital platform using a username and password. Some banks have enabled a fingerprint in place of a password for mobile banking (as an aside, you should check out our blog on the limitations of device-based biometric authentication), but that’s about as far as we’ve come. Less of a revolution, and more of a very slow evolution. And it’s hardly the panacea it was envisaged to be, because as soon as we want to do something slightly different – such as making a large or ‘abnormal’ payment or adding a new payee – we are back to needing a password.

Forgetting a password.

Resetting a password.

Ad infinitum.

For me, it’s these one time passwords (OTPs) that cause the biggest headache. They either get sent to me by SMS or e-mail so aren’t safe (SS7, anyone?), or even worse and more archaic, I’m forced to generate it myself using a hard token machine that I never have on me (who does?!)

Banking customers and passwords – a relationship based on need, not want

There are a number of limitations of passwords that a bank must consider, from the point of view of both its customer and its own.

Firstly, consumers hate passwords. We know it. Banks know it. According to one study, over half of us would do away with usernames and passwords entirely in favour of any other method. I doubt I’m the only person that really doesn’t excel at remembering new ones, and my life – and relationship with my bank – would be far more enjoyable if there were an alternative authentication method.

Secondly, consumers don’t want soft or hard tokens. It’s almost comical how antiquated the concept of hard tokens is. Want to make a payment? Well, let’s hope you have your piece of hardware handy. In your desk drawer at work, and you’re at home? Ah…well you can always phone and jump through the myriad call centre hoops if you prefer. Oh dear, you don’t have your 6 digit telephone code. Yes we can reissue that, it’ll be with you in 3-5 working days. And on and on it goes. Isn’t it nuts?

And soft tokens aren’t much better – what about when I don’t have my phone with me and am trying to make an online payment? Or when I’m travelling and the SMS doesn’t get delivered?

The banking industry is all eyes on the “customer journey” and some great progress is being made in digital channels. So somebody needs to tell the CX team that the 90s called and want their authentication methods back.

Banks and passwords: Costs, fraud and regulation

Regardless of our opinions as consumers, the banks themselves must also consider the inherent security weaknesses and superfluous costs associated with its hard or soft token approach. Sending and maintaining hard tokens adds considerable costs, although, amazingly, some banks are so far removed from improving the customer experience that they actually charge the customer for this ‘pleasure’! Soft tokens are unequivocally better and more user-friendly, but the security flaws within the soft token SMS processes are well documented.

Alas, it also seems that we – the consumer – ourselves are a weak and easily duped link. Developments in cybercrime mean that it’s becoming easier to deceive us, to tease information from us. Social engineering, phishing, SIM card swaps…it seems that despite knowing the threats, we can still be quite clueless at actually identifying them. Just last month, Barclays cited that a whopping 38% of us (5) couldn’t even identify whether a website was safe or not.

Lastly PSD2 is being interpreted by some as not allowing 2FA using SMS. Given that regulation is only going to get stricter, isn’t it time that banks started looking at other, more secure, ways of authentication?

Are we doomed? Or are there alternatives?

If we know that passwords are not user-friendly, have security flaws, cost more money and are easy to steal, why do we persist when there are so many alternatives? Isn’t it the definition of madness, continuing to use something when we know what the eventual outcome will be? Let’s look at the options that are readily-available today, that prove safer, cheaper, friendlier and more fit-for-purpose.

The five key alternatives:

1 – Embrace facial authentication. Make it more robust by including next-gen liveliness and spoof detection. Verify identity authenticity by having users enrol with passports. Use as a login or a step-up authentication in combination with other biometric layers. This will totally eradicate the need for unstable, unfriendly, costly one time passcodes.

2 – Embrace voice authentication. Allow a user to login with their voice, or use voice authentication as part of a step-up sequence. Include next-gen liveliness and spoof detection as standard. A far better user experience and – when used with other biometrics factors like face and behaviour – layers on the security but in an easy and, dare we say it, enjoyable way.

3 – Embrace behavioural authentication! Whether doing it passively (behind the scenes) or actively (forcing a behaviour), you can use hundreds of gestures or patterns to authentication someone. You don’t need an OTP if it’s the right person using the phone, laptop, mouse or keypad. You can even step-up to face or voice (or both) if you want. Isn’t that a better, safer user experience?

4 – Admit that no one biometric works for everyone. Give customers the choice. Use combinations for watertight security – because no one can look, act and sound like someone they’re not.

5 – Do nothing and be a Nokia. Denounce the new world and watch as everyone but you cashes in on the new wave of technology.

So what’s this got to do with BIDaaS (Biometric Identity as-a-Service) and is why is that the enabler?

A true password-less solution needs to work across multiple channels. What’s the point in offering a mobile banking experience that doesn’t extend across other channels – for example, where a user can login to their mobile banking app with a fingerprint, but requires a password online?

What is required is a digital identity that transcends the originating channel. A scenario in which a user can enrol for facial authentication on their smartphone, but access their account using their laptop, without having to re-enrol. Where they can be authenticated by their voice if they’re on a landline to the bank’s call centre. Makes sense, right?

In short, we need BIDaaS (Biometric Identity as-a-Service). We have to be able to identify the person, not just the device. Otherwise we can never truly be sure that the correct person is enrolling for and accessing the account.

What should a bank do today?

I don’t think there’s ever been an easier way to implement additional biometrics layers as there is today. This is in part due to the capabilities of smartphones and devices to capture voice, face and behaviour, and in part due to the open SDKs that make the implementation quick and simple.

Banks should investigate the options open to them, and look closely at the total cost of ownership of the authentication process. Whilst in-app OTPs may be inexpensive, the cost of managing call centres and posting out additional codes or passwords is not insignificant. Paying for a per-user, per-year, per-module biometric authentication solution is surprisingly cost-effective and will demonstrate a far faster ROI than other authentication solutions. And we’re not even discussing the amount of fraud that can be flagged, in real-time, and stopped.

AimBrain is a BIDaaS platform and we’re helping banks today to stop fraud, offer consumer choice and reduce costs, in a compliant way. Let customers enrol for voice/face/behavioural authentication once, to authenticate themselves securely and easily – across any channel –  in the future.

AimBrain - Simply Smarter Authentication