As consumer expectations about online experiences grow, the ability to deliver enjoyable online experiences which don’t compromise security or control will be a major point of differentiation for businesses in the coming years.
Central to meeting this goal will be how businesses manage the identity management and authentication of their customers and users. In general, identity authentication should achieve three objectives: linking a user to their account or online identity, keeping that account secure, and preserving a smooth user experience. Username and password-based authentication is by far the most common authentication method – but it fails on two of these three counts.
Take security: remembering all of your usernames and passwords is one of the most frustrating aspects of the digital age and the result is that over 71% of accounts are being protected by passwords that are used across multiple accounts.
This is a hacker’s dream. Stolen credentials are the cause of 80% of data breaches – and every breach makes downstream breaches more likely. Our Consumer Identity Breach Report found that in 2019 alone, the number of consumer records stolen increased by 78.57% – that’s five billion records! The same research also showed that personally identifiable information accounted for 98% of data breach cases.
The friction caused by reliance on usernames and passwords impacts business revenue. Research shows that almost a third of users who have to go through the recovery process after forgetting their credentials give up on the process. According to Gartner, up to 50% of all helpdesk inquiries are password resets – an unnecessary drain on company resources.
The case against username and password-based credentials is clear and has been for some time. So how can businesses move towards an alternative?
Setting the groundwork
Lack of technological capability isn’t a barrier. Smartphone manufacturers like Apple and Samsung have pioneered the technology needed for passwordless authentication for the last decade, including Face ID or the Ultrasonic Fingerprint Scanner.
And while this technological bedrock is important, they’ve also changed the way society views biometric authentication: it’s now become second nature for users to verify their identity with their fingerprint or with a face-scan.
Now, this access technology is moving into other forms of authentication, like software-based biometrics. Because software-biometrics doesn’t rely on special sensors, but rather the high-quality cameras in mobile devices, it allows for cross-platform use so that users can carry their authentication method across multiple accounts and applications.
Another important driver of passwordless authentication has been the FIDO Alliance. With the help of its member community of identity, security, and biometrics experts, the FIDO Alliance has developed and promoted free, open standards that have taken passwordless authentication to the next level. We’ve been very proud to put these principles into practice, including in our own usernameless solution, ForgeRock Go.
Moving towards passwordless authentication
So the technology, behavior and standards for passwordless and usernameless authentication are there. How can companies orchestrate the perfect passwordless and usernameless journey for their users? The answer lies in de-emphasising authentication in favor of confirmation.
For example, when you purchase an item online, the e-commerce company is primarily concerned that the method of payment is valid and approved. Through contextual signals, like whether the user is using a familiar device in a familiar location, they can obtain the appropriate level of assurance that they are who they should be.
With a model that builds in judgments about how critical it is that a user is who they say they are at different times; you can provide a smooth user journey that mimics real life.
For activities and transactions that are more serious, or expensive, an organisation can introduce adaptive authentication that verifies that the transaction is being performed with appropriate authorization.
This combination – ranking the importance of verification and using different levels of authentication interventions – will provide your customers with a smooth and secure online experience.
Behavioural biometrics: revolutionising passwordless authentication
In the coming years, the most exciting advances in usernameless authentication will come from behavioral biometric authentication.
Behavioral biometric authentication is using the behavior of a user – e.g. scrolling speed and patterns, finger size, keyboard typing – to provide ongoing authentication that runs in the background. And when implemented correctly, the user won’t even be aware that their identity is being verified.
What’s more, that data can be used to build a user profile that can be used for the personalization of services and products – another important benchmark of positive online experiences.
Behavioral biometrics should not replace the confirmation model and occasional authorization outlined in the previous section – contextual authentication should continue to be used to assess a user’s identity, only introducing appropriate friction when needed.
I believe it’s perfectly possible for businesses to give customers online experiences which are smooth and convenient without sacrificing users’ security and privacy. What’s more, by taking this approach, businesses open the door to additional benefits, such as a more dynamic and personalized customer experience.
A first step for all username and password-reliant organisations should be to begin transitioning towards a confirmation mindset. This will bring immediate benefits and allow them to fully leverage behavioral biometric authentication as the technology is widely available.
When it comes to customer expectations about online experiences, the times are changing. It’s on businesses to make sure they’re changing too.
- Nick Caley, Vice President of UK and Ireland, ForgeRock.