The username and password combination has been an authentication staple for years. While initially effective, criminals now have sophisticated technology that can guess many passwords in seconds. That threat has spurred some cybersecurity experts to recommend passwords should be strengthened even further.
As credentials become more complex, however, it becomes harder for consumers to manage them. In Password Fatigue: A Case for Multlayered Passwordless Authentication, Jennifer Pitt, Senior Fraud and Security Analyst at Javelin Strategy & Research presents a case for eliminating passwords and building stronger solutions.
Unrealistically Complex
Recent security surveys indicated cybercriminals can guess a four-character password nearly instantaneously. A 12-character password with a complex string of characters, on the other hand, takes 226 years to solve.
Many organizations have mandated lengthy, complicated passwords, but customers can’t realistically keep up with them. Consumers have resorted to duplicating passwords, writing them down, or even sharing them with other people.
“We’re past the point where passwords should be eliminated,” Pitt said. “It’s going to be a challenge for consumers to get through it, especially older or less tech-savvy consumers. They have been using passwords forever and they’re accustomed to it.”
A better solution is a user authentication process that incorporates multiple approaches. That could include a combination of biometrics, behavioral recognition, knowledge-based questions, and device verification.
Biometric Divide
Biometric authentication includes facial scans, fingerprints, liveness scans, and voice recognition. While biometric verification has been around for some time, there is a generational divide in adoption.
“Social media users, who tend to be younger, value openness and convenience rather than privacy and security, and so they’ve been quicker to adopt biometrics,” Pitt said. “They feel all their personal data is already out there, so a fingerprint is no different. To older adults and those who don’t use social media because of privacy concerns, a request for biometric data might be considered an invasion of privacy.”
While biometric data is generally considered a safer alternative to passwords, there have been concerns biometrics like facial scans and voice patterns could be stolen and used to impersonate a consumer. While that threat might increase in the coming years, there is a much greater chance of a password being compromised than of biometric data being stolen or leaked.
Identifying Atypical Behavior
Device recognition is another facet of a multi-layered approach. If a consumer suddenly starts using a new device, a flag should be raised. There should also be an alert if the customer is usually in one location and there’s a drastic shift in their IP address.
In every transaction, it should be questioned whether the behavior is a typical, either of that consumer personally or of their demographic. Banks and credit unions can also leverage new technology that allows them to view a customer’s device during a transaction, and there are gyroscopes and sensors in phones and laptops that can track consumer behavior.
“Is the phone tilting an unusual way?” Pitt said. “If a customer’s typing speed is erratic, maybe they’re under duress. Companies are collecting that type of data from the start, and they can compare that to future behavior. If a consumer usually types a certain speed and swipes left to right, there should be an alert if that changes.”
Behavioral recognition should also extend to transaction behavior. If a consumer never conducts wire transactions and one day they perform four international wires in quick succession, there could be an issue. Similarly, if a customer always goes to a bank branch and never banks online, and then they conduct a string of mobile transactions, it should be a flag.
However, an alteration in behavior doesn’t always mean a compromise has occurred. There could be a valid reason the customer moved from branch transactions to mobile banking, like they are on vacation, or they moved to a location without a nearby bank branch. When a user’s behavior is atypical, financial institutions must alert the customer and verify if the actions were legitimate.
Knowledge-Based Questions
Knowledge-based questions should be another aspect of multi-factor authentication. During the verification process, customers should be quizzed on personal data like their last known address, utility bill information, or other personal history.
If the inquiries aren’t time-sensitive, however, knowledge-based questions can be a poor authentication method. For example, if a customer is asked to verify their address from 20 years ago, it may not be something the user would know offhand.
Knowledge-based questions can also be defeated if criminals steal information from the internet or the mail, or if they simply guess the answers. For those reasons, knowledge-based questions are best as one aspect of a multi-layered approach.
Cat and Mouse
Many consumers don’t know how easy it is for criminals to guess passwords using computers, so financial institutions should educate their customers on the benefits of multi-factor authentication. Before making sweeping changes to identity verification methods, however, financial institutions should ask consumers for their permission first.
“There’s going to be some resistance, so let it be the customer’s choice,” Pitt said. “When data breaches are constantly in the news, consumers feel their data is at the whim of a financial institution. Those organizations should empower customers and put control back in their hands.”
Even though a multi-layered approach is likely a better solution than password authentication for most organizations, it’s not a permanent fix. Companies will have to continually evolve to stay ahead of new fraud trends.
“Criminals and law enforcement have been locked in a cat and mouse game for decades,” Pitt said. “Organizations roll out new fraud prevention methods and then criminals figure out how to beat it. They move to something new, which will likely be defeated in time. The goal is for financial institutions implement security best practices while also creating the least amount of friction for their customers.”
