Forgot Your Password? Most People Do

Feb  05 
Author Picture 
John Horn  Director, SecureNow™ Cyber Security Services, Fiserv 

New authentication methods enhance security and convenience in banking

Passwords are as consequential to our everyday lives as car keys. If we want to go anywhere, we need them. And losing or forgetting them can derail an entire day.

Most people require only one car key. But as digital connections multiply to include everything from online banking to hotel rewards accounts, consumers are forced to manage and remember multiple passwords.

As a general rule, people don't do a very good job at that. They create simple passwords that are easy to hack. They share them. They create lists of passwords and put them in easy-to-find places. They get frustrated and use the same two or three for every account. Basically, they do everything short of handing their digital keys to hackers.

Still, even the most secure password is vulnerable to attack, whether through malware or phishing, and once fraudsters get it, they'll try it everywhere. Combine that with the sheer volume of personally identifiable information available online, and it's no surprise risk professionals at financial institutions want to move beyond basic password reliance.

The day-to-day costs to financial institutions dealing with passwords are just as problematic. Industry estimates have shown as much as 40 percent of call center contacts are for password resets, which take as long as 15 minutes to resolve and cost as much as $10 for every contact.

Passwords are not only hurting financial institutions through fraud losses; they are an experience problem for consumers and a bottom-line cost problem for call centers.

Solving the Password Problem

The most direct response to password vulnerability in the past decade has been education. By most accounts, those programs have been a success, primarily teaching users to create passwords that are hard to guess but easy to remember.

In that sense, the market has come a long way in helping users. But education may have limited benefit for younger generations that have no appetite for passwords in the first place. They tend to either use the same password repeatedly or go to their financial service providers to interact.

So what solutions can augment passwords? User-defined challenge questions are common options, but they have the same problems as passwords. Users tend to forget the answers to challenge questions they set up months or years previously.

It's time for new technologies to meet the convenience and security expectations of younger generations, while also meeting regulatory requirements for multifactor authentication security. So-called "out-of-band authentication," in which a one-time passcode is sent to the user's mobile device, is standard in the market today.

It's not a security silver bullet, but it's relatively easy for users because they don't need to remember passwords or answer challenge questions. And it offers improved security over passwords and challenge questions because users must be holding their mobile device to get the passcode.

In most cases, out-of-band, one-time passcodes augment password security and eliminate the need for challenge questions. But the friction of those solutions still frustrates some users.

Looking Beyond Passwords

Friction and interruption are primary reasons why many consumers abandon digital experiences. With that in mind, financial institutions are actively searching for something to replace the password.

The key is what consumers hold in their hands: the smartphone. Embedded with new technology, the smartphone can become the user's password. Consumers get easy-to-use, strong security, and financial institutions boost their brand in the market by delivering secure, frictionless digital experiences.

How does it work? When logging into digital banking, consumers enter their user ID, and a secure push notification is sent to their smartphone for verification. Analytics determine consumers' location with high accuracy and check the device for suspicious characteristics, all behind the scenes before the consumer interacts. Consumers then can verify their identity through various means.

There are multiple verification options a financial institution can make available to users, but the recommended approach should be biometric modalities such as palm vein, fingerprint and facial recognition. Other options include combinations of: basic PINs, draw-codes that ask the consumer to connect dots in a pattern unique to the user, or even Bluetooth proximity to a device such as a smartwatch or Fitbit.

The beauty of technology such as Bluetooth proximity is consumers don't have to do anything. The technology allows access whenever a Bluetooth-enabled device is connected to the smartphone. It's a way to make security even easier for consumers.

Once the user is verified, a notification goes back through the system to grant access. That process also can be used at any point in the online banking experience, from login to executing transactions, based on logic specified by the institution.

Moving beyond passwords is all about knowing the device and the user as well as applying secondary verification methods when needed. If it's a new device or exhibits higher-risk characteristics, then biometric modalities and other factors can be used in ways that are easy and natural for users, all while preventing access to hackers.

Where Do We Go From Here?

The future of access and verification doesn't necessarily involve a clean break from passwords. Some consumers will retain their preference for passwords, so financial institutions still will need to provide that type of assistance.

But increasingly, financial institutions are recognizing the power of the smartphone. With embedded analytics and biometric capabilities, those consumer devices provide the key to password-less digital experiences that all consumers can appreciate.

When the consumer's device becomes central to every security interaction with the financial institution, and when that device is envisioned as a strong "security token" that eliminates the need for the user's password, financial institutions will have the foundation for a consumer experience that prioritizes both security and convenience.

For additional perspectives on the hottest topics in financial services, learn more about Forum 2019 where we shared best practices, gained valuable insights and connected with the best and brightest in Fintech.