Beyond passwords: the future of authentication

In the pre-digital era, security was far less sophisticated than it is today. Before the advent of payment cards and PIN codes, a customer could go into the bank and withdraw money or make a transfer without showing any form of ID document. In many cases, a signature or passbook was enough to verify a transaction. Naturally, these methods were vulnerable to forgery and fraud.

In the digital age, the banking journey looks very different. To access their bank accounts or make payments, the consumer simply has to open their banking app on their smartphone or computer and enter their credentials. While this is inherently more convenient than visiting a physical branch, there are still several risks, as fraudsters are finding new ways to exploit this digital approach.

How passwords fall short

Historically, the login process for any website or app has required a user to enter an ID/username and password. But in today’s digital world, this method of authentication is no longer fit for purpose – especially in banking. In a 2023 Verizon study, 86% of web application breaches were caused by stolen passwords.¹

“A lot of the regulations around authentication are fixated on solving a problem that’s fundamentally tied to the primary factor of authentication that we’ve had for 60 years, which is the password,” says Andrew Shikiar of the FIDO Alliance. “Passwords are the problem.”

Not only are passwords often the target of phishing attempts – it is also a pain point for consumers to remember them as they have become more complex in nature. As a result, consumers often reuse the same password, leaving all of their accounts vulnerable in the event of a data breach.

Multi-factor authentication (MFA) methods, such as one-time passwords (OTPs) and SMS OTPs were introduced to reduce the risks associated with passwords. However, there are several limitations for both customers and banks:

• Cumbersome user experience: OTP solutions, whether via SMS or a dedicated authenticator app, require the user to switch between multiple apps to verify a transaction. In addition, OTPs are often delivered with a delay when network issues occur, or multiple OTPs arrive at the same time.
• Security concerns: Second-factor authentication doesn’t guarantee greater security. Indeed, OTPs are still vulnerable to fraud. Phishing attempts, such as tricking users with fake websites, text messages, and calls, as well as SIM swapping, are common methods of bypassing some MFA measures and gaining access to a user’s credentials.
• Hidden costs: Dealing with fraudulent activity costs the banks dearly in time, money, and resources, while causing significant damage to brand reputation.
• Lack of control: Using third-party apps or SMS providers to generate OTPs cedes control of the authentication channel, leading to missed opportunities and compromised user experiences.

In an era where customers expect the highest possible standards – and have plenty of options to take their business elsewhere when these standards are not met – banks are under pressure to do more. Especially when it comes to digital payment security – 64% of consumers in a Paysafe survey say security is the most important factor when deciding how they pay online. At the same time, 69% expect a frictionless checkout experience.²

So, what can banks do to balance both of these needs? The first step is removing passwords from the authentication process entirely.

From passwords to passkeys

Passwordless authentication, powered by biometric technology, is not new. Most modern devices, from smartphones to laptops, have featured fingerprint or facial recognition capabilities for more than a decade. Likewise in banking, biometrics have emerged as a popular alternative to traditional authentication methods – 60% of consumers believe biometric payments make online transactions more secure.³

From passwords to passkeys

This growing adoption of passwordless authentication is part of a wider industry push driven by “the FIDO Alliance” – a group of industry leaders and technology companies from around the world. Tech giants Apple, Google, and Microsoft are among the household names in the alliance working together to reduce the world’s reliance on passwords. By driving the development of industry-wide standards and solutions, FIDO is simplifying the authentication process and reducing barriers to widespread adoption for consumers, banks, and merchants.

Over the past 12 months, passkeys have emerged as a more secure and more convenient alternative to passwords. Passkeys replace passwords with cryptographic key pairs, offering enhanced security and enhanced user experience by leveraging FIDO credentials that are resistant to phishing, syncable across devices, and adaptable for either multi-device or single-device use.³

The benefits of synced passkeys to both users and businesses are significant: 

• Convenience: Rather than entering a password and then completing 2FA to authenticate a payment, using a biometric passkey is as simple as unlocking a smartphone or device with facial recognition or a fingerprint scan. 
• Security: Unlike traditional multi-factor authentication methods, which require a user to take “something they know” (password/OTP) and “something they have” (device) to authenticate a payment, passkeys are completely phishing-proof. After all, you can hack a password or trick a user into accessing their OTP, but you cannot replicate their biometrics.
• Speed: Thanks to the FIDO technology under the hood, passkeys provide a multi-factor authentication experience in a single step. This ensures compliance with the Payment Services Directive (PSD2) while also providing a seamless user experience.

When it comes to implementing passkeys, it is important for financial institutions to differentiate between synced and device-bound passkeys. Synced passkeys allow users to switch seamlessly between their devices, such as smartphones, tablets, and laptops, or even a brand-new device, without having to re-register each device to each user account – ideal for consumer-facing apps and websites.

The gold standard of authentication for banks

However, for banking and finance, synced passkeys are not compliant with Strong Customer Authentication (SCA) – a regulatory requirement of PSD2. For that, device-bound passkeys, which cannot be shared or exported from the device, are considered the gold standard of authentication. These device-bound passkeys add an extra layer of security because banks can always verify that a transaction has been authenticated from a trusted device.

“It’s not enough for banks to know that a customer is authenticating successfully,” says Quintin Stephen, Global Business Lead, Authentication, G+D. “The device-binding element ensures a regulatory-compliant two-factor authentication in one step. It’s great if you implement synced passkeys, which use ‘something that I am’ to authenticate, but a true passwordless authentication goes beyond that – it is device-bound.”

With device-bound authentication solutions, banks can take the next step and shape a future of authentication where ‘something you have’ (your device) and ‘something you are’ (your biometrics) seamlessly merge. All customers need is the touch of a thumb or a glance at a camera and, thanks to the FIDO-based technology under the hood, the second factor remains invisible to the user. That’s how banks can provide two-factor authentication that feels like one.

Striking the right balance with the right amount of friction

The path to passwordless authentication is clear, but widespread adoption may take time. The appetite for biometric authentication is strong; however, humans are creatures of habit, and passwords have been part of our lives since long before the digital era. Banks will need to plan the customer journey and provide the right support to help customers make the transition toward new forms of authenticating. This involves striking the right balance between convenience and security. While a seamless authentication process may be suitable for low-value transactions, more-visible authentication measures may reassure customers when it comes to large-value transactions.

For banks, this means that while device-bound passkeys are significantly more secure and convenient than traditional MFA – without the burden of having to complete second-factor authentication – a second layer may still be preferred for high-value transactions. Best of all, this can be done by leveraging the security of your existing bank card in combination with a smartphone to create an integrated and seamless “hardware-based step-up authentication.”

The benefit here is as much psychological as it is security, in that it helps build consumer trust and confidence in passwordless authentication methods. This is critical, especially for traditional banks seeking to maintain customer satisfaction and retention in an increasingly competitive consumer banking market. And most importantly: staying one step ahead of fraudsters.

And once the transition to passwordless authentication is complete, the ripple effect will not only revolutionize the financial industry, it will also have a profound impact on e-commerce by removing the friction from online checkout processes, while maintaining high levels of security. 

Ultimately, this is what makes passwordless authentication the natural successor to passwords and OTPs. They are more secure, easier to use, and better suited for today’s digital world. For banks, it is no longer a question of if, but when they will become the norm.