When MIT researcher Fernando Corbató created the password in 1961, he probably didn’t realize he had also planted the seeds of its own destruction.
Using a piece of information to restrict and afford digital access inherently lends itself to weakness. A system protected by special knowledge has security deficits that multiply naturally. Such a defense fails in the face of the barest challenges: passwords can be shared, forgotten, or of course, stolen. The security of passwords began to disintegrate at the very moment of their inception; today’s profound challenges to digital security demand a safeguard that cannot be exchanged or misappropriated. The age of the password has passed. The time for biometric-based security has come.
The Problem With Passwords
The damage passwords created could never have been predicted. They defeat the very definition of a good UX, they’re IT nightmares for businesses, and they grow less secure with each passing year.
I vividly remember when, back in 2015, computer intelligence consultant turned whistleblower Edward Snowden told talk show host John Oliver that a computer could crack an eight-character password in one second. This alarming fact is always on my mind every time I have to create a new account or am prompted to update a password.
With so many accounts to keep track of, it’s no wonder that a 2020 study by ForgeRock found that 43% of cyber attacks were categorized as “unauthorized access” with compromised passwords. Furthermore, over 50% of IT professionals surveyed by Yubico felt that eliminating passwords would improve both user experience and security.
The Business Impact
Every business is rightfully obsessed with the customer experience. However, this usually comes at the expense of security. Business owners suffer massive losses from data breaches that can cost a responsible company, on average, nearly $4 million and require an average of 300 days to contain. Lost passwords are also detrimental to business owners, as forgetting a password causes one in three online shoppers to abandon their cart, resulting in a multi-million dollar loss for most e-commerce websites.
The problems don’t end there. According to a recent study, 61% of consumers say that “authentication frustration” has caused them to quit a transaction they would have otherwise completed.
Perhaps most alarming of all, 85% say a difficult authentication process reflects negatively on the company and brand. Businesses go to great lengths to protect their brand’s image, and authentication should be part of that effort.
Stopgap Solutions
Instead of looking beyond the password, businesses keep trying to build a better mousetrap by adding layers of complexity that not only fail to make them more secure, but also disrupt the user experience.
Knowledge-based authentication can take time to set up and become quite a frustrating memory exercise to answer, further creating friction in the user interface. More importantly, with the increase in social media as well as large consumer data leaks, fraudsters can often answer these security questions, rendering them effectively useless.
Over the years, businesses have increasingly adopted a second option, two-factor authentication (2FA). Two-factor authentication is a cumbersome process that forces users to fumble across devices to copy codes from one place to the next. It’s also highly susceptible to such fraud as Man-in-the-middle (MitM) attacks in which fraudsters can intercept your text messages for as little as $16.
While these extra steps are often better than nothing, they are riddled with user friction, and they have innate gaps that are highly susceptible to bad actors. These technologies rely only on something the person knows rather than on who the person is. Instead, we should be looking at the obvious solution staring back at us from every mirror – our faces.
Why Your Face Is So Much Better than a Password
What is the most complex iteration of encryption? The one thing which has no equal anywhere in the universe? What is so uniquely authentic one could never clone it? YOU. You are impossibly unique. There has never and will never be a person whose face is exactly like yours. That fact provides so many benefits to businesses that are still saddled with clunky passwords and their inherent flaws.
Using enhanced 2FA with biometric authentication (like a quick selfie) is more convenient and secure. Instead of constantly resetting passwords, searching through sticky notes, or reusing passwords, the customer just needs to snap a picture of themselves. This selfie can be matched against a selfie and/or government-issued ID provided during account enrollment for a virtually perfect re-authentication, all of which happens instantaneously.
Businesses have lost billions in revenue due to so-called friendly fraud and other forms of online payments fraud, and that number is only going to increase. When a customer claims they didn’t make a purchase, you have a timestamped, verified picture of their face begging the contrary. Moreover, this technology is applicable beyond simple credit card disputes — it could have wide-reaching positive ramifications for wire transfers, account settings updates, logging into an account or anywhere else you need to be sure of the actual person on the other side. Subscription-based businesses also lose significant revenue to shared accounts; with biometric authentication, this becomes virtually impossible.
MORE FOR YOU
It’s Time to Face the Future
Passwords are on their way out. The vast improvements in user-friendliness and security make biometric logins so ubiquitous that we stop realizing when we do it. I already use my face to unlock my phone, and it replaces passwords on many apps as well. I imagine a world where we’re checking into flights or trading equities with a mere glance at our phone or whatever mobile device is in front of us.
Everyone hates passwords, but we’re in love with our devices — multi-factor authentication with biometric measures can block 99.9% of all digital attacks. It’s time to harness that power to push security beyond the password-protected boundaries of a bygone era.
