LoginID CEO: Time To Put Passwords Out To Pasture
Call it the Venn diagram of life — the connected economy that brings financial services, commerce, and all manner of activities into the digital realm, where we go from site to site to get things done.
And connecting it all is the password, all too often forgotten or compromised.
Simon Law, co-founder and CEO of LoginID, told Karen Webster that passwords are hardly the optimal way to go between sites or devices — where one provider recognizes a password you invented three years ago, while the one you changed yesterday is already forgotten and just cannot get you into that other site you need access to right now.
Stronger online authentication and verification is needed, he said, so then as consumers move to different ecosystems, different websites navigating the connected world, they can pretty much automatically log into those systems.
The FIDO Alliance (FIDO stands for Fast ID Online), as has been noted here previously, was formed to help foster interoperability among strong authentication technologies.
And as Law told Webster, the FIDO Alliance’s efforts to make sign-on easier, safer and based on unified open standards is finding traction within several verticals and among several use cases … with the impact, perhaps paradoxical, that higher friction at critical points of interaction with end users can lead to higher conversion rates for merchants.
He pointed to Delegated Authentication flows that preserve the integrity of individuals and transactions while helping get rid of the dreaded password.
Speaking generally, he said, the beauty of FIDO’s technology is that it can be used across any sector — and he said that no less an eCommerce giant than eBay had shifted away from one-time passcodes (OTP) to add additional layers of security and authentication. The company opted recently to leverage FIDO for strong authentication across mobile app and browser-based sites.
An increasing number of eBay users, he said, are foregoing using text messaging and are embracing FIDO authentication and biometrics.
“OTP is going away, and we’re moving toward a passive biometric sign-in experience,” he said, which has garnered particular interest from FinTechs and other digital-first firms. He said that secure and streamlined digital onboarding experiences are especially critical for those firms (and for the increasing number of companies that are pivoting online). Opening bank accounts or signing up with mobile telecoms, for example, requires strong authentication. Delegated authentication, the PSD2 regulation that allows authority to be “delegated” from an issuer to a payment service provider or merchant (combining FIDO with the 3DS network), can improve the customer checkout experience.
For merchants that comply with PSD2 regulations without introducing additional friction, the process “is actually beneficial for merchants who adopt the [FIDO] solution,” according to Law.
Typically, when adding more layers of security (such as through text messaging), conversion rates are actually lowered. Without passwords, which are easily forgotten, consumers don’t have to go through the hassle of resetting them, don’t have to call contact centers, and in the process, fraud rates go down, said Law.
“When you think of regulation, you may think it’s a cost — but here it’s actually a revenue generator, given friction around the transaction will now be lower,” said Law.
As he explained the process, consumers provide their biometric and strong authentication using their devices or other hardware, pass that information along to the issuer through the 3DS channels, and then have the issuer say, “OK, we’ve seen this person and this hardware,” as Law put it.
That verification is given back to the merchant, and the enterprise can go back to processing the payment as it normally would. The Secure Payment Confirmation program, he said, can confirm requests initiated by payment request application programming interfaces (APIs) and can let consumers see eCommerce information in their browser. That credential will be going live within the next year and a half, and per Law, will see an explosion of use cases — particularly in banking, where attracting younger users (such as millennials) depends on a smooth onboarding experience — while stymying account takeovers. Simple banking, such as peer-to-peer (P2P), requires strong security and authentication protocols.
He noted, too, that strong authentication and passwordless processes are especially important in the cryptocurrency realm (with its anonymity and immutable transactions) and the movement of sensitive data, such as in healthcare. Because of the pandemic, he said, many patients are moving online, and accessing records or holding telehealth systems can be made more secure by combining strong identity protocols with FIDO.
Democratizing the adoption of the FIDO-based standard comes through an API-centric approach, maintained Law. With the advent of the API, developers or segments of the ecosystem can leverage technology to be applied to different scenarios.
“We have open documents, sample code, and it’s all very simple for developers,” he said of LoginID’s own offerings, including a “freemium” model.
Looking ahead, he said, beyond eCommerce, banking and healthcare, “fast follower” verticals such as the IoT are likely to embrace strong authentication, even at the point of manufacture.
Right now, the move toward stronger authentication is being led by businesses. Still, Law predicted there would be more consumer education and clamor for better authentication (and they will be willing to vote with their feet to get to providers with seamless online experiences).
“It’s going to be win-win for everyone because it’s going to foster better conversion and better security,” he said of stronger authentication technologies. “And so integrating quickly via an API path, is definitely the way to go.”