In a recent Haventec Webinar, we discussed how organisations are moving beyond passwords to enhance security, privacy and user experience.
Joined by Microsoft’s National Security Officer, Mark Anderson, Deloitte’s Cyber Risk Services Partner, John Jones, and Haventec CEO, David Maunsell, we looked at why the password approach simply doesn’t cut it in a digital era, and how new passwordless solutions are changing the game.
Why do we need to move beyond passwords?
We’re spending more time in the digital space than ever before – using a range of devices, apps and online portals for work, communication, leisure, shopping, and more.
This has led to password overload, with recent research finding that the average user has approximately 100 passwords to remember or manage!
At the same time, there are countless recent events which demonstrate the inherent risk that passwords pose to customer and business security. For example, ForgeRock‘s 2021 Identity Breach Report revealed a 450% surge in breaches containing usernames and passwords globally.
Attempting to stem the password security problem has resulted in a range of potential quick fixes, such as:
- longer and more complex passwords
- frequent password changes
- 2-factor authentication
Unfortunately, trying to strengthen security by increasing the complexity of passwords diminishes the user experience and leads to new operational and security issues. People start writing them on post-it-notes and storing them in drawers, under their keyboards, and so on.
According to Forrester, 25% of all helpdesk calls relate to password resets. And while you can introduce self-service to get around this, it’s just a Band-Aid fix for a security control issue we need to move past.
What’s driving the change to “passwordless”?
All digital stakeholders – from consumers to enterprises and regulators – are seeking a solution to the weaknesses and inconveniences of traditional authentication models.
Stricter regulations are a key driver behind this, as business leaders seek to mitigate the risk of hefty penalties for noncompliance and the reputational damage that generally accompanies a data breach.
Other key drivers include digital transformation and consumer expectations.
“People see passwordless authentication as an answer to a security problem and as an extension of their digital transformation,” says Mark Anderson. “Digital transformation has itself been driven by customer expectations of digital readiness and ease of use. Passwordless technology is the next step in that journey."
Over at Deloitte, John Jones notes his strategic work with companies often uncovers gaps between business capability and user expectations around digital experience and usability. “Removing passwords is a way to reduce friction and increase accessibility. We need to find that sweet spot between the appropriate level of authentication and authorisation for the assets a user is trying to access, while delivering a great user experience.”
Having seen the outcome of passwordless implementation first hand, Haventec CEO, David Maunsell, says the results are impressive.
“When an Australian prominent digital bank implemented Haventec’s passwordless solution, they had considered the entire customer experience from end-to-end: onboarding through to ongoing customer interaction with their brand and services. Their set up allows them to onboard a new customer in under 2 minutes, with identity verification for subsequent logins using biometrics or a simple 4-digit pin.”
“In turn, the business has been rewarded with market leading customer satisfaction scores alongside advanced security and privacy measures.”
How can a business get started on the passwordless journey?
Progressing from the idea of becoming password-free to a practical action plan requires collaboration between a company’s IT team, executives and customers.
John recommends devising a list of requirements based on the specific problem you’re trying to solve, so you can assess how possible solutions will best meet your needs.
“It’s about choosing the technology that is best for your community. Ideally, you want to use design thinking and empathy mapping to put yourself in your user’s shoes so you understand their needs.”
“Remember too that support during and beyond implementation is important, so it may be more appropriate to select a vendor with a strong local presence.
“Because customer expectations are moving fast, you’ll also want to focus on solutions that allow for faster speed to market and can integrate with your existing systems.”
Mark agrees that focussing on user outcomes is pivotal to selecting the right technology. “Office staff have very different needs to, for example, doctors and nurses who may need to move between terminals. It’s about understanding what works and what doesn’t in a specific environment."
“Keep in mind that passwordless authentication is about strengthening security, not weakening it. Ultimately, you want a solution that delivers total assurance because it’s based on foundations that are decentralised and can’t be breached.”
David also urges business leaders to remember that the ultimate goal of passwordless authentication is to protect critical data.
“The future of open government and enterprise will depend heavily on trust. And if we don’t embrace new initiatives and ideas, such as passwordless authentication built on decentralised identity providers, we’ll continue to see ongoing breaches of privacy and put further friction between a customer and business offering a digital service.
“Passwordless authentication opens up a whole new world of possibilities, and is a key foundation for the next wave of digital growth.”
