Time to go passwordless? 3 safe ways to replace passwords
Our lives and personal data are moving increasingly to digital channels, so it is about time to consider replacing the good old passwords with something safer and simpler. But what are the options?
# Passwords, the 60-year-old "innovation"
Passwords are older than one might think. In ancient times, passwords were used as “watchwords” – a word or a phrase that only certain people would know as the key delivered to sentinels to enter a specific area or attend an event.
With the rise of technology, the need for passwords as we know them today surged from the need to distribute time-shared access to computer systems. Back in the 1960s, when computers were rare, expensive large pieces of hardware, the only way to share computing power for all users was to implement access control using passwords. In 1961, MIT developed the Compatible Time-Sharing System, which is where the password authorization first appeared. The pioneer of these time-sharing systems and computer passwords, Fernando Corbato, said in a recent interview with Wall Street Journal that “Unfortunately it’s become kind of a nightmare with the World Wide Web. I do not think anybody can possibly remember all the passwords that are issued or set up. That leaves people with two choices. Either you maintain a crib sheet, a mild no-no, or you use some sort of program as a password manager. Either one is a nuisance.”
In the beginning, we saw passwords as a key created to give access to certain places, systems, resources and information. But as the digital world developed, the role of passwords also transitioned from an access key to an authentication method. On the 6th of May 2021, this authentication solution - password - will celebrate exactly 60 years of existence. While the history of passwords is long, their future might be shorter than we initially thought. We live in a rapidly changing digital environment and use innovations every day – from instant messages to smartphones to paying for the morning coffee with a smartwatch – yet the data security solutions for ensuring privacy have not changed much.
So how come we are sticking to a solution developed 60 years ago? It is safe to say that passwords simply cannot meet the digital customer’s needs anymore as they struggle to bridge security requirements and convenience. They have served us well for many years, but it is time to bid farewell.
# Are passwords secure?
In a 2015 “Worst Passwords” report made by Splash Data, we learned that the most popular passwords around the world were hundreds of easily hackable combinations, such as “123456”, “qwertyuio” and even “password”. In the same report, common names such as “Michael”, sports such as “football” and birthday years also made it to the top of the list. Even five years later, the pattern did not change much when Nordpass published a similar report in 20203 showing the same passwords still being popular among users in a list of the “Worst 200 Passwords”. According to the report, only 39% of the combinations detected in 2020 were new to the list compared to the year before, and over 80% of the passwords on the list were possible to hack within less than one second.
# People can and will circumvent security measures to make their lives easier.
This raises an important question: Is changing our passwords ensuring better data protection at all? Although we as users can create stronger, unique passwords for every separate account, how many times a year or month do we need to change every single one of them to be confident in the security of our data? And how many of us do so? The true cost of using passwords today means sacrificing not only security, but most likely convenience. In the light of the most recent technological developments, it seems that inventing and continuously changing passwords is no longer a feasible solution for every online account. We need to shift our perspective and consider whether passwords should be used as an authentication method at all.
# The real cost of passwords
Let us be honest: The reason many organizations still rely on traditional passwords is money. A simple access control system using passwords do not directly cost anything to the service provider, while more specialised solutions typically come at a cost which may be seen as unnecessary. That is, until there is a data breach.
According to Digital Guardian, the average email address in the U.S. is linked to 130 accounts. In a perfect world, this would mean remembering (or securely storing) 130 complex passwords for the average user to ensure the protection of their accounts and data. This is not only inconvenient but close to impossible, which is why we tend to recycle passwords. 30% of the participants in the survey admitted to having less than 10 passwords for all their accounts, and 11% still reuse one single password for all their accounts – which puts them at considerable risk of being victims of a hack. The problem here is that the responsibility lies with the end-user as their protection level depends on the passwords they choose to use, while there is not much done to ensure more security on the service provider.
The second problem we see in this practice is that while many organizations suggest or require so, most users do not create truly unique passwords because they would be hard to remember. Instead, they add symbols and numbers to a recycled password - which does not make it much harder to crack. Additionally, a study shows that longer passwords consisting of randomly picked words are harder to hack than complex passwords combining numbers and symbols.9 The 2-factor authentication (2FA) – such as one time password sent by email or SMS - is also now used more often as an extra layer of protection for user login, but it lacks the convenience for the overall user experience, especially if the 2FA becomes too frequent for the user.
Password managers have also become a common practice among users who try to create diversity and add complexity to their passwords, but these are also third-party providers that require authentication too, and the accounts are often linked to one or more specific devices. This might help us store our passwords, but is this just treating the symptoms rather than the root cause of the problem - do we actually need passwords at all?
Organizations should make sure that the identity and personal data of their customers are protected by something stronger than traditional passwords. Passwords may seem to be a budget-friendly solution for the organizations, but eventually, the potential risk for data breaches can be costly both in terms of reputational damage as well as the potentially very large GDPR fines.
The bottom line: Requiring your users to create more complex passwords is not the solution. There will still be security issues and it is time to embrace a passwordless future.
This is where digital identity comes into play, as we see an increasing demand for private data protection as a result of a lacking easier and safer identification and authentication solutions. In order to eliminate the necessity of using passwords as credentials for every single internet account, users and organizations need to understand the difference between having one digital identity for each account (verified using passwords) and verification method for more accounts in different networks.
# Embracing a passwordless future – what are our options?
The options for strong user identification and authentication are rather limited today. However, there are suitable options for various use cases.
1. Email and SMS one-time-passwords (OTPs). When an existing user is about to log in to a service such as their internet service provider's customer pages, they type in their email address or customer number, after which they receive a code on the mobile number registered with their profile. As this authentication method requires that the user is in possession of the device, it provides more security than simply logging in with a username and a static password.
The possible challenge of SMS and email OTPs is that they can be cumbersome as the user might not always have their mobile phone with them, or in some cases, might have changed their email address or phone number, which is registered in their profile. For service providers, SMS and email OTP does not meet the requirements for Strong Customer Authentication (SCA), which is a requirement of the EU's Payment Services Directive (PSD2) for payments-related transactions.
2. Verified digital identity, eID Verified digital identities are - as the name suggests - digital counterparts of an ID document, where a trusted third party has verified the identity of the user, often a passport or similar government-issued physical ID document. eIDs are also called reusable identities as they can be used to log in to various services across the public and private sector.
Electronic IDs have become an integral part of everyday life, especially in the Nordics: for example, in Finland, 88% of consumers said they would prefer to log in using an eID if they could choose10. This demonstrates that consumers prefer to use the same credentials across various services, as the users trust these services as safe and secure authentication methods. So, from a consumer perspective, the ability to log in using an eID is what they prefer and expect, regardless of industry.
eID login can be implemented as part of digital service channels in any industry and is cost-efficient and easy to maintain when purchased as a service. In many cases, eID authentication can be also implemented in chat- or even telephone-based customer service to serve existing customers even better.
# eIDs already have strong foothold in the Nordics
With the recognition of the e-signature across EU/EEA in the early 2000s, Nordic countries quickly started exploring different alternatives for digital authentication for their citizens.
- Finland introduced TUPAs in 2002 as a common standard for digital identity in 2002, and this was replaced with the Finnish Trust Network (FTN) in 2019.
- Sweden launched the first BankID in 2003 as an electronic identity document with the same validity as passports or other forms for physical IDs, developing the BankID physical card only a few years later, in 2005.
- The Norwegian BankID - which, despite sharing the name, is not related to the Swedish BankID - was also launched in 2003.
- The Danish NemID was introduced in 2010, replacing the not widely used public eID solution OCES from 2003. As NemID could be used across public and private sector services it quickly gained traction. NemID was replaced by MitID in May 2021.
# 3. Biometrics deliver frictionless login
While eIDs are commonplace and convenient, there is often a certain level of friction associated with the login. Therefore, it is easy to understand that biometric authentication has become exceedingly popular, especially solutions that leverage face recognition, such as Apple's FaceID or fingerprint scan.
Mobile apps have become the top engagement channel across many industries, but especially in banking and other regulated industries where strong authentication is required, finding a balance between great user experience and security has been challenging. Signicat's MobileID leverages biometric authentication and provides bank-grade security in the background, meeting requirements for PSD2 SCA. Not only for mobile apps, but the solution functions as a strong authentication solution in browser-based services.
MobileID requires a separate onboarding process, which in many cases happens by using an eID. The user verifies their identity using their existing eID to set up MobileID, and after this the user can login using facial recognition or fingerprint for authentication. In addition to secure authentication, MobileID supports electronic signing, often needed in digital service channels, as well as transaction authorization for users.
Service provider advantages of using MobileID:
- Easy and seamless user verification
- Low friction authentication
- Drastically reduced login time
- The security and implementation of authentication mechanisms are handled by the MobileID provider, such as Signicat, as the users’ eID is protected, and the MobileID verifies their identity without exposing sensitive data
- The users’ government-issued eID can easily be combined with other features, such as integrating e-signatures
MobileID offers protection against phishing, malware, man-in-the-middle attacks, account takeover and identity fraud and eliminates common security issues linked to passwords. There are simply no passwords to crack.
# How organizations are replacing passwords with more secure login
Tehy, the Finnish trade union representing health and social care workers – Having over 160,000 members, Tehy needed a faster, more secure and reliable authentication solution for their member services portal. Previously, the portal was possible to access via a membership number and user-generated password. As the membership login was accessible 24/7, Tehy needed to change their strategy and produce a better solution that was scalable, secure and provided easy access to their large user base with frequent login. As a result of choosing secure login based on eIDs, they obtained a seamless solution for membership login via a simple integration offered by Signicat. By using Signicat’s authentication service, Tehy dramatically reduced the effort required to maintain the service compared to integrating directly with all issuing banks.
Fortum, the Nordic utility giant – The Nordic utility giant has replaced user-generated passwords with an eID based login in Finland, Sweden and Norway. This protects customer data and provides the end-users with a good user experience as they can log in using eIDs they already use for online banking and more. Signicat delivers Fortum secure login as a service through one integration.
Fellow Finance, a P2P lending platform – Fellow Finance is a peer-to-peer lending platform with an ambitious plan to expand its product offering. Due to the sensitive type of data required for using the crowdfunding and lending services, the company needed to implement a secure way for their users to log in to Fellow Finance's mobile app without worrying about putting their financial information at risk. To ensure the highest level of security, Fellow Finance chose Signicat's MobileID authentication solution for their first mobile banking application to increase customer engagement and trust. The MobileID solution for the Fellow Finance application became a seamless, secure way for users to access their data and verify their identity.
# Driving your digital identity transformation with Signicat
Signicat’s proposition is not only to deliver a more secure way for the users to access their personal information but also links a full spectrum of services - from KYC/AML, seamless authentication process, secure and easy integration of CRM systems for electronic signatures. This way, Signicat customers can offer their users a fully automated, simple and secure self-service experience. Potential uses of MobileID cover several types of services, such as HR, Asset Management, Retail Banking and Insurance.
A passwordless future does not only mean that we will be able to log in easier and faster than before. It is important to also look into integration solutions, making sure that authentication goes further beyond easy access, opening the doors to do much more with our digital identity than just as a means of verification. At the moment, we can already see a greater demand for security and trust.
With an increasing focus on data protection from both industry players and individuals in the context of data breaches, it is clear that companies need to adopt new strategies to protect their users’ privacy. And to facilitate user trust, organizations need to ensure strong customer authentication and frictionless login as a part of the user experience. Using innovation to meet customer demands is key to both keep existing customers engaged and acquire new ones, and seamless login will be a key factor for anyone heading in that direction.