Why passwords just won't cut it anymore
Passwords: they've been around for as long we have been using connected technology like smartphones, computers or the internet, but are they an essential part of those technologies? According to a 2019 study, conducted by Google in conjunction with Harris Poll, 75% of American internet users say they struggle with password management.
If passwords are so unfit for purpose and unintuitive after all these decades, what is preventing us from moving to better alternatives? How can we start designing user experiences on a better foundation?
The era of passwords has passed
From a User Experience perspective, passwords are clunky and inconvenient. The more secure and complex a password is, the harder it is to remember. The more passwords someone has, the more incentive they have to turn to services like third-party password managers, operating-system keychains, or browser key stores.
Even professionals struggle with the ever-increasing number of passwords they have to manage on a regular basis. A 2020 survey by Yubico found that 42% of IT professionals report that their organization uses paper sticky notes to manage passwords. Even more disappointing, the same study found IT professionals are even more likely to reuse passwords than average end-users.
Password-based logins are inconvenient, and customers being forced to remember or recover a password is one of the most precarious points in the checkout flow of e-commerce websites, where time is quite literally money. In 2019, up to one-third of virtual shopping carts were abandoned due to forgotten passwords. Removing this barrier could drastically improve such a site’s conversion rate, reducing friction at the points in the user experience which count the most in any web-based interface.
The main idea behind a login name and password is ostensibly security: it asserts the user’s identity, which is the basis on which to open a secure communication channel. But is this real security, or just “security theater”? Attackers using up-to-date aggregators of massive data breaches often exploit this single point of failure. Similarly, simple passwords can be guessed by trying permutations of the users' leaked or bought personal information, or bought en masse from the operators of industrial-scale phishing scams.
What comes after passwords
The password seems like such a fundamental part of how we operate now, but only because we are so accustomed to it, or too distracted by wrangling hundreds of passwords to imagine an alternative. Five years from now, passwords will be relics and outliers in how people assert and prove their identities while navigating the digital world. What will feel normal instead?
Using a second channel to authenticate a user’s identity provides an extra layer of security. This is called Two-Factor Authentication (2FA for short). Due to its gradual and incremental adoption, however, 2FA implementations are often a ‘password plus’ system, simply adding an extra layer of complexity on top of the existing username and password paradigm . This extra factor is often a code from a smartphone app or temporary password received by SMS, known as One-Time Password (OTP). The only thing worse than one password is two!
In a 2019 blog post, Microsoft manager Alex Weinert wrote, “Based on our studies, your account is more than 99.9% less likely to be compromised if you use MFA [Multi-Factor Authentication].”
Multi-Factor Authentication (MFA) is a more secure, holistic approach gaining ground in today’s design philosophies. It is based on double-checking an identity using two or more pieces of identifying characteristics, which separates concerns and avoids the double-risk of a compromised device. It asks users to assert any combination of “something you know (e.g. passwords, personal information)”, “something you are (e.g. a fingerprint, face or retinal scan)” or “something you have (e.g. a code card, authenticator app, USB dongle)”, most of which do not require a user to remember.
Increasingly, our connected devices come with biometric sensors that can measure attributes unique to each of us, whether it be facial recognition, iris or retinal scans, heartbeat or fingerprints to confirm our digital identities without passwords. How do we leverage biometric technologies like TouchID and FaceID into a variety of platforms and apps, particularly desktop devices and websites?
Today’s best practice: Seamless FIDO
Basing identity verification on user-friendly actions like looking into a (biometric) camera or scanning a fingerprint means no more complicated text, number and symbol strings to memorise, and no extra programs or keychains to manage. It’s a more direct, natural, and low-friction way of conveying the uniqueness and specificity of each user, without making an extra step. This makes one of the factors in a solid MFA approach invisible to the end-user.
This invisible factor works hand-in-hand with other contemporary spam-reduction and fraud-detection technologies operating in the background of digital interactions. Millions of users use their face or fingerprint hundreds of times a day to unlock their smart devices. Why shouldn't they be able to do the same to make purchases online, access their email, or interact with any other business process?
The FIDO (Fast IDentity Online) Alliance has been working on MFA protocols and ‘passwordless’ solutions since 2012, a cooperative effort among stakeholders such as Apple, Microsoft, Google and Mozilla and many others. The three core ideals behind their FIDO protocols are ease of use, privacy and security, and standardization.
For enhanced privacy and security, these protocols provide a bare minimum of interoperable information, negotiated on a per-instance and contextual basis to avoid the privacy fallout of tracking systems like browser cookies. Sensitive personal data such as biometric information, if used, never leaves the user’s device and is handled in a secure silo even there, isolated from other software. Communication between devices using FIDO protocols is encrypted using public key cryptography, ensuring data cannot be intercepted.
Getting ahead of the adoption curve
Many platforms promising a ‘passwordless’ future are already based on FIDO protocols. These have already quietly been integrated into the recent major versions of all major operating systems, browsers, and smart-phone marketplaces, and are just waiting to be leveraged to create world-class product offerings. An estimated 80% of all end user devices support FIDO protocols.
The convenience, increased security, privacy guarantees, and peace of mind will please and delight your customers. For developers and designers, having a standardised, secure platform will also make developing and maintaining systems easier, faster and more secure.
As norms and user experience expectations shift, passwords will increasingly feel like an obsolete or even disrespectful way of treating end-users. Our industry is at the beginning of a steep adoption curve, and being ahead of the pack has a lot of clear advantages, particularly for designers. Authentication is the foundation of your user experience and how they experience their relationship to your products and services: the payoff of a firmer foundation is clear.
Call the experts
Even though the technology is already mature and seeing adoption at scale, it can be hard to find your place in the queue. The cost of moving your systems to FIDO by building your own passwordless infrastructure from scratch can be daunting. It can also be research-intensive to stay current as the standards evolve and move to v2.0 in real-time. At this early stage in the adoption curve, middleware is far safer, more cost-effective, and smoother a way to make the transition for almost all companies.
Hanko is the first European provider of a certified FIDO solution, building on years of experience as early-adopters and specialists in the field. Our customers include international software and cloud providers, the public sector and companies from the financial and healthcare sectors. We make it surprisingly easy to connect our libraries to enable secure, FIDO-based passwordless multi-factor authentication methods on a website or app without the need for additional complex infrastructure.