Action required: Your passwords are expiring
Lily Vis | Director, Fraud, Digital Banking FIS Jon Hale | VP, FIS Business Executive FIS
October 10, 2022
With the notable exception of hackers and thieves, no one likes passwords. Creating and managing unique, secure, complex passwords across multiple systems can be a nightmare, which can make password resets as common for many users as remembering and entering the correct credentials.
Password managers have become such a recognized need that modern web browsers now include them by default. But not everyone uses them, and they carry their own risks due to malicious browser extensions and other malware. Users attempting to simplify password management such as using the same user ID and password for everything or leaving credentials plainly visible, perhaps on a post-It note stuck to the side of a monitor, carry enormous risk.
Bad password hygiene is one of the largest contributors to account takeover (ATO) and data breaches. According to Verizon’s 2022 Data Breach Investigations Report, almost half of data breaches involve stolen credentials. Multifactor Authentication (MFA) helps prevent ATO, but the common MFA methods have increasingly also been the targets of bad actors, and bespoke tools to defeat MFA can be purchased cheaply. Big Tech is already building a passwordless future and bank IT leaders are eager to join in.
The technology is readily available and affordable. The question is: why aren’t banks being more aggressive?
There are no imminent regulatory requirements for banks or anyone else to move away from password-based authentication. However, there are many within the financial services industry working toward this future.
According to a survey of IT security leaders at financial services firms cited in a recent American Banker article, 89% believe passwordless authentication ensures both the highest user satisfaction and the highest level of authentication security. Passwordless authentication promises to be low-friction and phishing-resistant, if not phishing-proof, while ensuring that the user authenticating is the actual user. Three things every consumer and institution should be begging for. But they’re not.
Need help logging in?
A key reason why many banks have not gone passwordless is an assumed lack of demand. Traditional user ID and password logins have been the status quo for decades, and average users aren’t demanding something different. Millennial and Gen Z users have been creating user IDs and passwords their entire lives, and all customers have been impacted by the exposure of them whether they know it or not.
The concept of passwordless authentication may seem strange to most – but not as strange as they think. Consumers have adopted passwordless authentication for years on their mobile devices. Many apps now prompt users to sign in using their Apple or Google credentials or via biometrics such as touch and facial recognition. These forms of authentication are now mixed in with traditional passwords across our daily user experiences. Many simply haven’t noticed.
Security question: Which bank changed the game with passwordless authentication?
Often in banking, change starts at the top. Transformative innovations are usually cost-prohibitive for regional and community banks, which leaves the biggest banks to drive change in the industry. As these innovations become more common, they become more affordable and thus accessible to smaller institutions.
Passwordless authentication is an exception. This technology is not only affordable but relatively easy to implement and rollout. Whether they realize it or not, consumers are ready to adopt. This gives regional and community banks an enormous opportunity. Rather than waiting for the largest institutions to start a trend wave, regional and community banks can take steps to pursue passwordless authentication right now.
Passkeys, or multi-device credentials, are a great option. Using any personal smart device, bank customers could access their account information as easily as they unlock their device, using the same touch ID, face ID or PIN code. Since these authenticators are backed up typically to a user’s Google or Apple ID, they can be easily restored or even used on another device with minimal friction.
Welcome – your login was successful
A passwordless future in banking is inevitable. The question is who will take the lead?
Nothing is stopping regional and community banks; nothing that cannot be overcome. By being among the first to implement passwordless authentication, these banks have an opportunity to lead the industry and delight their clients with greater convenience and security.