Let’s define the major ways of avoiding passwords
Passwords were once seen as the ultimate security solution. Yet, their use has a set of drawbacks. People tend to use weak ones, as they are easier to remember. When every website and app requires a password, we keep using the same password or maybe a couple of variants to simplify our lives.
Even if a person has set a unique password for every occasion (which is very unlikely), there must be a list of those security code words somewhere and fraudsters may get access to it. According to Verizon 2017 Data Breach Investigations Report, 81% of hacking-related breaches used either stolen or weak passwords.
Moreover, filling passwords out every time and keeping them in mind is very tiresome, so people prefer avoiding it as much as possible. Many of us save their passwords for an automatic fill-in on personal devices. How safe is that? Not much. In addition, password resetting in the corporate environment is costly.
But what are the alternatives? Well, let’s see.
Perhaps, the most obvious variant is available on many devices. Fingerprint scanners are built into modern smartphones and they help to unlock them faster. Moreover, the Touch ID and Face ID functions facilitate the opening of many banking apps as well as confirming transactions. Biometrics is very widespread for banking purposes.
In 2016, Citi introduced voice biometrics to verify the identities of customers contacting their call centers. Voice authentication analyses unique characteristics in a person’s vocal pattern and cross-checks them against a prerecorded voiceprint to verify their identity. This technology can substitute using passwords, ID numbers, or unique authorization codes. However, its security is questionable since there are people out there who can mimic other manners of speaking quite well.
In 2019, The Royal Bank of Scotland (RBS) announced a pilot of payment cards featuring biometric fingerprint technology. The fingerprint acts as a replacement for PIN entry and is used to verify transactions in excess of £30. It has great potential for making small payments quicker and easier for customers. Although in some retail networks, small transactions don’t need to be verified while using a contactless card, others require a PIN every time.
Meanwhile, Barclays teamed up with tech giant Hitachi to offer Finger Vein reader technology to its corporate banking customers. To authorize transactions, business customers should place a finger inside a small desktop scanner instead of entering passwords and PINs. There are unique vein patterns present on every finger, which remain largely unchanged throughout life. That allows a pretty accurate identification.
Wells Fargo’s CEO Mobile solution has advanced security features including encryption, secondary authentication, and token generation. An additional security layer is the use of a biometrics eyeprint feature. It allows users to sign in by scanning their eyes with the camera on their mobile devices. Eyeprint authentication eliminates the need for a password or a token, making the sign-in process easier and more secure.
Biometric ATMs are self-service cash machines that use a biometric measure to identify customers and allow them to withdraw cash. Until recently, biometric ATMs were very hard to find in developed markets other than Brazil, India, and Japan. Now, the situation is changing. Facial recognition at ATMs is used in Taiwan, Spain, Japan, Australia, India, and Macau. In 2014, Poland became the first country in Europe to introduce a network of “finger vein ID” cash machines. The technology is still spreading.
Moreover, NEC XON has released a self-service biometric kiosk that automates the distribution of SIM and bank cards. It is essentially an ATM that gathers people’s personal information before dispensing a new bank card. Though it is currently being pitched to financial institutions and mobile operators, Saunders has indicated that the kiosk can be configured for other identity systems like national IDs and social services cards. The fewer passwords the better.
A one-time passcode or password (OTP) is a code that is valid for only one login session or transaction. An OTP is typically sent via SMS to a mobile phone, and they are frequently used as part of two-factor authentication (2FA). The purpose of an OTP in mobile or online banking is to prevent fraud by confirming that the person making the transaction and the bank card owner are one and the same. However, in the 2FA scenario, your secret password may still be required.
While logging in, users may be asked for their email. Once they’ve given it, the service facilitates the creation of a token that allows the user to access their accounts through a link sent to their email. As an alternative, a one-time code may be generated and sent to the same email. If the email address gets hacked, so is the web service profile that uses such an authorization method.
Companies like Ping Identity offer businesses cloud-based, adaptive multi-factor authentication (MFA) solutions where customers can log in to web applications without entering a username or password. The brand interface will simply display an on-screen QR code that users can scan using their mobile application — with the PingID SDK inside — to instantly log in. Such authorization is available in certain online banking systems as a way to avoid password usage. QR codes can be scanned fast and can store a great amount of encrypted data.
The dynamic QR code scan has many advantages such as preventing session hijacking or session replay attacks. Since the code is animated, unique, and has a very short life span, it provides a secure authorization method while at the same time providing a seamless experience that doesn’t require complex pairing between devices. A confirmation message may then be displayed in an app on the device verifying the authentication which triggers a biometric scan confirming that the users are who they say they are.
With some technologies, you can approve or deny login requests on a second device paired with your account via the relevant app (compatible with smartphone or smartwatch). When there’s a login attempt, you get a push notification that allows you to log in with the swipe of a finger.
Push notification authentication validates login attempts by sending access requests to an associated mobile device. When you register your account, you link it to a mobile device you own. Afterward, whenever you try to login to your account, you submit your username or ID. Instead of entering your password, you receive an access request notification on your smartphone, which you can approve or decline. However, the problem with these solutions is that they only work with the services of their respective companies and the limited applications that integrate with their services.
For instance, Google provides a push notification authentication option for its suite of online services and applications such as Gmail, Google Drive, Docs, Calendar, etc. Microsoft has also rolled out a similar service for its Outlook.com services.
This one works by taking in multiple data points like typing patterns, mouse movements, software usage, and Wi-Fi networks, and creates a score to decide whether to trust the user for access or not.
Behavioral information adds another layer of security to authentication. Since individual behavior is almost impossible to mimic, incorporating it into authentication helps prevent attackers from using stolen biometric data. That’s right, biometric information can also be stolen. In September 2019, Chinese researchers at a cybersecurity conference in Shanghai showed it was possible to capture someone’s fingerprints from a photo taken from several meters away.
Behavioral information includes data like location and purchasing history. It also encompasses behavioral biometrics, which is how people interact with their phones. The technology uses sensors like accelerometers and gyroscopes to collect data on how people hold their phones or the pressure they use to type, among other data.