Financial institutions, is it time to pass on passwords?

Passwords feel like a necessary evil. To keep hackers and cybercriminals out, security protocols make it harder for everyone to get into accounts. 

Users have to switch up their credentials every 90 days or so. There’s a long list of requirements to create a “good” password. And all that effort can be undermined by human error. Nearly 75% of breaches involve a human element, according to Verizon’s 2023 Data Breach Investigations Report. In the attacks that Verizon analyzed, 49% involved credentials.

The FIDO Alliance estimates that 90% of users have more than 90 online accounts. That leads to password fatigue and dangerous symptoms, such as password reuse, forgetfulness and laxness around security. 

Despite all the trouble, password security measures don’t address the root problem of authentication because they’re knowledge-based (such as What’s your favorite dessert? What street did you grow up on?). In phishing attacks and other social engineering schemes, hackers can simply “ask” for credentials or use botnets to steal the information.  

Passwords are costly to manage, too. A single password reset can cost $70, FIDO estimates, based on the average rate for help desk labor. And that doesn’t account for users’ time, productivity or revenue lost during downtime, or the cost of a poor user experience. 

What if your financial institution could get rid of passwords and increase security? 

There’s a win-win option that’s gaining traction, thanks in part to strong adoption by Microsoft, Apple, Google and other sites that people log onto daily: passkeys.

A primer on passkeys

The FIDO Alliance created passkeys as a technology-agnostic security method for stronger authentication. There’s no username or password, so there’s no combination to hack. Instead, passkeys use end-to-end cryptography to generate a unique code that is far less likely to be guessed, leaked, shared or stolen. 

Passkeys have two parts: a public key on the website or service that users sign into, and a second, private key on their device. When a user logs on with a passkey, the website checks to see if the keys match. 

Private passkeys typically rely on biometric data for authentication, such as a fingerprint or facial recognition. The passkey is stored on a device, and it’s never shared with the service or site that users log onto. 

Passkeys are believed to be stronger than passwords. If an attacker steals a username and password, they can access your account. But it is nearly impossible for cybercriminals to access the private key on a device, even if they get access to a website’s public key. 

Passkeys make it easy for organizations to tighten security measures. For users, it’s as simple as using a fingerprint, PIN or face to unlock a mobile phone. And it only takes two or three clicks to set up passkeys on most Google or Apple products.  

More security, less effort

Google studied the passkey vs. password experience in March and April 2023. People who used passkeys were able to successfully authenticate their logins 4x more often than people who used passwords or other forms of multifactor authentication (MFA). Passkey users didn’t have to deal with typos or password resets (or remember anything), so they got into accounts with less effort. 

In addition, passkey users were able to log into their accounts in half the time it took people to enter passwords.

Speed and ease are important in both business and retail use cases. When data is especially sensitive, like financial information, access typically gets locked down after brief periods of inactivity. That can frustrate users and impede workflows. Over time, people become frustrated and view security practices as a hassle rather than an asset. 

Tighten security over sensitive information 

Financial institutions need to juggle multiple, competing demands when it comes to cybersecurity. Consumers expect financial institutions to protect their personal and financial information – but be fast and easy to work with 24/7/365. Financial institutions need to tighten the reins without slowing down onboarding or banking processes.

With passkeys, financial institutions can serve both needs. 

Financial institutions should consider passkeys as an important element in a layered security plan. With step-up authentication, financial institutions can match their security requirements to the risk profile of an action. For example, higher levels of authentication could be triggered by a large-sum transfer or beneficiary change. 

When security is of maximum concern, passkeys are seen as stronger than passwords and other forms of MFA. And because they’re so simple and quick for users, top-notch security protocols are practiced consistently.  

Every financial institution must determine its own security thresholds and what actions it’s willing to take to safeguard account information – and the institution’s reputation and operations.  

To learn more about passkeys and other security measures for sensitive data: 

• See how SecureNow protects accountholders
• See how Carat authenticates customers