The case of the missing third: will digital identity finally replace passwords?
As every technologist knows, there are three main factors of authentication: something you know, something you have and something you are. Yet in the online world, there has been a near-universal reliance on something you know – namely your username and password – occasionally supplemented by something you have – namely your email account or your device.
Now, with Fast Identity Online (FIDO) Alliance gaining ground, the missing third factor looks set to play a much bigger role. And it promises to go a long way in resolving one of the biggest frustrations of our digital lives.
If you think about it, the effective functioning of the digital world relies largely on the process of identification and authentication. Social media platforms, subscription services, online retailers, financial service providers, mobile apps – almost every online service needs to identify its customers. So almost every entity with an online presence routinely issues its own identity credentials, usually in the form of usernames and passwords.
Fragmentation, frustration and friction
As a result:
- It’s frustrating for us, as users, to manage – recent research suggests that most people have an average of 70-80 passwords to remember , and three quarters have had to reset at least one forgotten password in the past 90 days.
- It’s inefficient – with thousands upon thousands of separate identity management and authentication solutions all doing the same thing, as well as managing constant password resets that can cost an estimated US$70 each time.
- It’s inherently insecure – the complexity of the current situation encourages the reuse of passwords. Indeed, 61% of consumers admit to reusing passwords, with 18-to-24-year-olds being the worst offenders. And, even at the best of times, passwords present security risks. Consider, for example, that an estimated 1 million passwords are stolen by hackers every week.
- It prevents the smooth, integrated delivery of services from multiple providers – because each time there’s a password glitch, there’s a risk of abandonment. Indeed, by some estimates, the average consumer abandons 16 purchases a year due to password frustration.
You could say this identity conundrum is the single biggest source of friction in our online lives. And, arguably, it all comes from an over-reliance on passwords. Added to this are the recent regulatory developments around Strong Customer Authentication (SCA), which require transactions to be protected by at least two factors of authentication. Once again, the first two factors – in the guise of passwords and mobile devices – are relied upon. And, in the absence of an elegant implementation, this can bring more friction.
So, wouldn’t it be great if we had an alternative way of authenticating people online?
The stage is set for the missing third factor
Enter the third factor of authentication – that is, something you are, or biometrics.
The great thing about biometrics is that they are always there – at your fingertips, quite literally. They are also unique, so less prone to compromise. And you don’t get that time-lag, which is a characteristic of many SCA techniques, such as waiting for an SMS or email to deliver a unique passcode.
Historically, the payment industry had been hesitant to explore the potential of biometrics – partly over the implementation costs and challenges, the innate risks of centrally-managed biometric databases and how consumers may react.
But the implementation of fingerprint readers and facial recognition technology on hundreds of millions of smartphones means that consumers routinely use biometrics without a second thought. Apple reports that nine-in-ten iPhone users activate the touch ID or face ID function, using it to unlock their device 80 times a day. Also, a sizeable proportion of people are already using these biometric capabilities to authenticate payments. By mid-2020, for example, an estimated 51% of active iPhone users had enabled Apple Pay, with transaction numbers up by 30% in the previous six months, equating to more than 19.5 billion a year. And because, the security resides on the device itself rather than being managed centrally, the risks of compromise are also effectively addressed.