person touching lock screen

Frictionless or Less Friction? Cybersecurity and the Passwordless User Experience

As employees and consumers, we find ourselves living in a password-protected world. Yet passwords are a pain and not always secure. How can organizations up the ante on cybersecurity — particularly regulated industries — while delivering seamless convenience and ensuring data protection?

In the world of identity and access management, or IAM, passwordless authentication offers a way forward.

Passwords Aren’t Cutting It Anymore

It is common knowledge among security professionals that passwords aren’t the best way to secure our data or assets, but these same professionals need to live with the challenging reality that it is still very much the authentication method of choice for many consumers. Digital experiences are increasingly the norm, in both online and in-person shopping, in financial services and banking as well as in the workplace environment. This makes cybersecurity — and the protection of personal and financial data — extremely important.

We know consumers suffer from password fatigue, complacency and laziness even if they still tend to migrate towards using them which is highly problematic. It means, among other things that the passwords of choice tend to be too short and too simple which make them easy to crack. “At least two-thirds of smartphone users (66%) say their shortest password is 10 characters or less in length,” according to Forrester’s Q1 2022 State of Customer Authentication report.

More secure passwords that are longer and include uppercase letters, numbers and special characters are becoming increasingly required. And that’s helpful. But the additional complexity also means that consumers write down passwords where they can be visibly seen. At the same time, people reuse passwords across devices and applications, making it easier for hackers to guess, snoop and gain access to the user’s account.

person entering password

Passwords are a commonplace security measure, but can be easily compromised if they don’t meet the right length and complexity to be secure.

A “frictionless” user experience is talked about a lot, and with good reason. Consumers expect the same quality of experience with every digital interaction, whether it’s a personal one or work-related. It’s important for nearly every business to make the user experience as friendly and seamless as possible so users can accomplish their desired action or goal. For many industries it means having a mobile-first strategy — the banking and financial services industry, for example, is going in that direction.

At the same time, users are becoming aware of and more interested in passwordless authentication alternatives, such as the ones that enable biometrics. But is a frictionless experience the answer?

Cybersecurity Should Have Less Friction but NOT Be Frictionless

Most businesses today have been impacted by a data breach. IBM reports that the global average cost of a data breach is $4.35 million with stolen or compromised credentials as the most common cause. The time to identify the cause of the breach takes a whopping 327 days.

On the one hand, businesses are looking to streamline and simplify the user experience while addressing the looming sense that passwords are outdated and no longer secure.  

This is especially true in banking and financial services. A joint FStech and HID survey revealed that for banking customers, security outweighed a frictionless experience. This suggests that while ease and speed are high on the list of priorities, customers are in fact comfortable with some friction as part of the log-in and authentication process if it contributes to the security of their data.

Passwordless authentication solutions are reshaping the security landscape by offering a better user experience while helping manage risk with the right amount of friction.

person using facial recognition on phone

Research shows that banking customers expect security and are comfortable with some friction during the user experience if it means a higher level of security.

Long Live Passwordless!

We’ve been promised a passwordless world for quite some time. From Bill Gates calling for an end to passwords in 2004, to IBM predicting the end of passwords in 2011, to Google’s Eric Grosse declaring passwords were no longer sufficient to keep users safe in 2013, nearly 10 years later it’s finally becoming a reality.

Multi-Factor Authentication (MFA)

Multi-factor authentication, or MFA is leading the way for user-friendly yet strong security by combining three factors: something you know, something you have and something you are. It’s important to note that unsecure authentication methods such as One-Time-Password (OTP) sent by SMS or email and secret questions and answers are still widely in use.

Push authentication is more secure and user-friendly while still using a mobile device as a second MFA factor. It uses cryptographic techniques to link a specific device to its owner’s identity, making it impossible for attackers to impersonate them without physical access to the device.

The push authentication user experience is seamless and straightforward. Users validate the request by making a binary choice — “approve” or “decline” — rather than referencing and retyping an OTP received via SMS.  In fact, the most flexible push authentication solutions leverage mobile device biometric capabilities to go completely passwordless.

person using online banking

Using smartphone biometric capabilities during multi-factor authentication helps move toward a passwordless experience.

Users are receptive to this experience, recognizing the higher level of security while increasing convenience to the overall authentication process. Additional data from the FStech and HID survey showed that 56 percent of consumers had a positive attitude toward current fraud-preventing security measures, even when it presented friction.

The remaining 44 percent were neutral to it. Secure MFA solutions are also on the rise as more businesses opt for advanced authentication technologies, including hardware or software tokens.

Identity Verification (IDV)

Organizations also are looking at Identity Verification (IDV) solutions, particularly as a means to ensure smooth digital onboarding for their users and to enhance the passwordless experience throughout the journey. IDV combines biometric facial matching with cross-checks against government-issued photo ID, behind-the-scenes document verification, address verification and other automated validations.

IDV allows for a smooth user journey, drastically reducing customer abandonment rates at the early stage and complementing the end-to-end journey. Best-in-class IDV solutions offer prebuilt architecture and cloud-based delivery for quick and easy deployment.

The Future of Passwordless Authentication

Businesses are under intense pressure to adopt user-friendly yet secure identity and access management solutions. Meanwhile, consumers are struggling to manage their own credentials in an ever-widening sphere of digital activities, and they are going to choose businesses who can deliver both security and simplicity. With the right strategy and the right tools, it IS possible to support secure digital identities with less friction.

Going forward, the future of passwordless authentication will also include behavioral biometrics. In contrast to physical biometrics that identify characteristics such as a fingerprint or face, behavioral biometrics identify individuals based on uniquely identifying measurable patterns in human activities. Think signature or keystroke dynamics, voice pattern or gait. Together with physical biometrics, behavioral biometrics offer the possibility of creating a more seamless user experience that offers continuous verification creating a path toward a more secure, fraud-free digital world.

Want identity and access management news delivered to your inbox? Subscribe to the IAM blog. You can also get the latest information impacting the industry by visiting the Security & Identity Trends blog.

Ignacio Gil Bárez is the HID Iberia Sales Lead in the Consumer IAM business area. He has vast experience working with compliance and UX with c-suite executives to deliver business agility while mitigating risk. He also is an expert and a great resource to understand and identify total customer satisfaction principles and requirements.