Ideas & Debate

Will digital identity finally replace risky passwords?

cyber crime

As every technologist knows, there are three main factors of authentication: something you know, something you have and something you are.

Yet in the online world, there has been a near-universal reliance on something you know, namely your username and password — occasionally supplemented by something you have — namely your email account or your device.

Now, with the Fast Identity Online (FIDO) Alliance gaining ground, the missing third factor looks set to play a much bigger role. And it promises to go a long way in resolving one of the biggest frustrations of our digital lives.

If you think about it, the effective functioning of the digital world relies largely on the process of identification and authentication.

Social media platforms, subscription services, online retailers, financial service providers, mobile apps — almost every online service needs to identify its customers. So almost every entity with an online presence routinely issues its own identity credentials, usually in the form of usernames and passwords.

As a result, it is now frustrating for us, as users, to manage — recent research suggests that most people have an average of 70-80 passwords to remember, and three quarters have had to reset at least one forgotten password in the past 90 days.

It is also inefficient, with thousands upon thousands of separate identity management and authentication solutions all doing the same thing, as well as managing constant password resets that can cost an estimated $70 each time.

Additionally, it is inherently insecure — the complexity of the current situation encourages the reuse of passwords. Indeed, 61 percent of consumers admit to reusing passwords, with 18-to-24-year-olds being the worst offenders.

And, even at the best of times, passwords present security risks. Consider, for example, that an estimated one million passwords are stolen by hackers every week.

It prevents the smooth, integrated delivery of services from multiple providers because each time there’s a password glitch, there’s a risk of abandonment. Indeed, by some estimates, the average consumer abandons 16 purchases a year due to password frustration.

You could say this identity conundrum is the single biggest source of friction in our online lives. And, arguably, it all comes from an overreliance on passwords.

Added to this are recent developments around Strong Customer Authentication (SCA), which require transactions to be protected by at least two factors of authentication. Once again, the first two factors — in the guise of passwords and mobile devices — are relied upon.

The stage is now set for the missing third factor, which is biometrics. The great thing about biometrics is that they are always there — at your fingertips, quite literally.

Biometric recognition technologies such as fingerprint, facial recognition and finger vein scanning programme rely on unique body features such as fingerprints, faces and finger vein patterns which are less prone to compromise.

You don’t get that time-lag, which is a characteristic of many SCA techniques, such as waiting for an SMS or email to deliver a unique passcode.

Historically, the payment industry had been hesitant to explore the potential of biometrics – partly over the implementation costs and challenges, the innate risks of centrally-managed biometric databases and how consumers may react.

But the implementation of fingerprint readers and facial recognition technology on hundreds of millions of smartphones means that consumers routinely use biometrics without a second thought. Apple reports that nine in 10 iPhone users activate the touch ID or face ID function, using it to unlock their device 80 times a day.

Now, there is intent on extending the third factor to more of our digital lives. The idea is to harness the inherent biometric capabilities of today’s devices within a federated authentication solution that can be deployed wherever and whenever a consumer is asked to identify themselves online.

Its backers include all the global payment schemes, as well as big tech players like Amazon, Apple, Facebook, and Google, device manufacturers like Samsung and Lenovo, and it has government support in countries such as Germany, the UK and the United States.

The Africa and Middle East biometrics market is forecast to grow at an annual rate of 21 percent, with the global biometrics industry set to reach $82 billion by 2027, according to the Biometrics – Global Market Trajectory & Analytics 2020 report published by US-based research firm Global Industry Analysts.

From a Visa perspective, the elegance of the solution enables us to take another step forward in balancing security with convenience.

Of course, the implications – and the benefits — extend well beyond payments. For consumers, the overuse of passwords is arguably the single biggest frustration of our digital lives.

For issuers, offering consumers a more convenient form of providing secure payments mitigates risk, reduces costly fraud and increases customer satisfaction.

And for merchants — who invest time, money and energy into getting customers to the point where they want to buy a product or service — biometrics offer a seamless way for their customers to pay securely, quickly and without frustration – reducing the risk that they might abandon a purchase.

With the potential to remove much of the related friction, and the ability to make online payments just as quick and convenient as face-to-face payments, the FIDO initiative promises to be the right solution at the right time.

Auma is Director, Risk Services - Visa East and Southern Africa