By Matt Davey, COO at 1Password
With all the talk about passwordless logins, fintech companies might be wondering whether it’s worth enforcing multi-factor authentication on customer accounts. After all, if passwords might soon be a thing of the past, why upgrade current security when the next wave of innovation might be just around the corner?
Ultimately, no security solution is perfect; passwordless might be the buzzword right now, but like any form of authentication, it has its shortcomings. For now, passwords are here to stay, so it’s more crucial than ever to enable and support multi-factor authentication for your customers.
Passwords alone aren’t secure enough
When it comes to financial data, some of the most important information in a person’s life, it takes more than just a password for adequate protection—even a strong, unique one.
Let’s face it: Most people have bad password habits. Whether it’s reusing passwords or using weak passwords, these practices leave glaring vulnerabilities in people’s personal security. But it’s understandable. As attacks become more advanced, it’s become essential to use strong, unique passwords for every account — but who can remember strong, unique passwords for hundreds of sites? While everybody should be using a password manager, many people aren’t.
Passwordless isn’t there yet
Password weaknesses are why some companies are considering making the move to passwordless logins. The way passwordless authentication works is that, rather than entering a password, you enter an email address (or another login factor — phone number, etc.) and are sent a link which allows you to log in without any sort of password. Simple, right?
even if passwordless logins were fully deployed and usable, they still would have weaknesses.
In practice, it’s more complicated. There are still security issues here. What happens if a hacker gains access to your email, or you’re victim to a SIM-swap attack, like Twitter’s Jack Dorsey? The attacker could then log into every site you use passwordless authentication for. And unfortunately, you’ll still need passwords to sign in to your email. Passwordless sounds convenient, but it’s just not feasible right now.
Multi-factor authentication is more important than ever
So, even if passwordless logins were fully deployed and usable, they still would have weaknesses. That’s why you should continue to pursue multi-factor authentication.
If you’re unfamiliar with multi-factor authentication, here’s how it works: a person logs into a site with a password. They are then prompted to use a different factor to authenticate themselves before they can actually log in. That factor can be any number of things — a code generated by an app like Google Authenticator, a text message to a mobile device, or a time-based one-time password generated by a password manager.
The key here is that there are multiple levels of security and authentication before anyone can access their financial accounts. Multi-factor authentication also provides extra protection in the case of a password-reveal breach. It’s important to remember that it doesn’t need to be your system that’s hacked to put your customers’ data at risk. If people reuse passwords, which many do, then one password leak can affect the rest of their accounts.
Regardless of what the future holds in terms of security and authentication, multi-factor authentication is worth investing in. Because right now, used in conjunction with good password practices, it’s the best defense against data breaches.