Those who are said to be dead live longer and interestingly, this also applies to passwords. This established form of authentication has long been considered an anachronism to the constant evolution and modernisation of the Internet.
However, passwords still play a very large part in our online world and are the gateway to a whole host of activities including emails, social networks and last but not least, online shopping. Even those who only use the internet occasionally for online shopping quickly accumulate a wealth of online accounts.
Although there are ways of logging in via third-party providers such as Google or Facebook, they no longer enjoy the unconditional trust of users following a number of highly publicised data scandals.
With the new FIDO2 open authentication standard, it is now possible, in principle, to use hardware tokens or biometric features for authentication directly via a browser. But what is behind the process and what potential does the technology have?
Urs Gubser, Head e-commerce strategy at SIX Payment Services provides a reality check.
Check 1: What exactly is FIDO2 and what concrete possibilities does it present?
The abbreviation actually hides two standards. One, WebAuthn, was developed by the FIDO Alliance (Fast Identity Online) in collaboration with the W3C (World Wide Web Consortium) organisation. It enables the integration of FIDO-based authentication methods directly into different browsers using a standardised API. Mozilla’s Firefox already supports WebAuthn from version 60 and Microsoft and Google plan to follow suit. The other part of FIDO2 is the Client to Authenticator Protocol (CTAP). This allows various external devices to transmit credentials to computers via Bluetooth, NFC or USB.
The new standard offers several ways to replace passwords. A USB stick as a hardware token is a form of digital key. When a user inserts the stick into their PC, they automatically authenticate, just as easy as unlocking a door. In addition, the technical capacities of smartphones can also be exploited as many of today’s devices already have fingerprint recognition capability which could also use this unique feature for authentication.
Check 2: What about safety?
You do not have to be an accomplished computer hacker to crack a password; many people still use very easy-to-guess character combinations like names and birthdays. In addition, criminals have access to a variety of software tools to help them find out passwords. These risks and potential breaches in security simply do not exist with a hardware token – however, it can be lost or stolen, just like a physical key.
Is the fingerprint the ID of choice? After all, it is unique with just one per person. That is of course unless someone makes a copy and manages to fool the sensor – which is exactly what the Chaos Computer Club did back in 2013.
Since then, detection technology has evolved but so have the methods to outsmart it. With the help of machine learning and artificial intelligence, American security experts last year managed to create a form of the master imprint that unlocked almost two out of three of the smartphones that were tested. A potential attacker using this approach does not even need the original print of the owner. Therefore, in the case of biometric authentication, the question that always comes up is whether it is possible for criminals to obtain copies of the features. Of course, unlike a password, you cannot easily reset your fingerprint. Currently, a 100% secure system does not exist, even in the digital world, but you can make it as difficult as possible for cybercriminals to undertake their activities.
This is best achieved by combining various security features. Fingerprint authentication can be combined with the voice check and an iris scan as further biometric security elements, or you can use a hardware token as an extra authentication check. With each additional step of a multifactor authentication process, the security increases. Whilst this does not completely eliminate the possibility of identity theft, it sets the barriers very high. Breaches become extremely unlikely while at the same time the process remains easy for the end user.
Check 3: What else will the retail sector be facing?
As passwords disappear, online shopping becomes easier and more intuitive for customers. Of course, it also benefits sellers. Retailers no longer have to reset passwords and can make more meaningful use of the resources they no longer need. Biometric methods are also particularly interesting for the simplification of 3D Secure. In addition to the normal credit card data, this service often requires customers to provide an additional password, which results in many customers not completing the journey and abandoning their purchase. When using identity verification procedures that do not require a password, companies no longer have to forego these transactions.
For customers, it is now self-evident that shops accept different credit cards, whilst at the same time PayPal is moving further and further into the retail space. Their competitor in the Far East, Alipay, is already on the rise beyond China. As the market for e-payment solutions develops, biometric methods are very likely to replace passwords, making it difficult to predict whether established service providers will be able to expand their market share, or whether new innovators will emerge and take a slice of the pie.
Be prepared for everything
One thing is certain; digitisation will not be reversed and is here to stay. Financial transactions are definitely affected by this megatrend. Developments such as the Internet of Things (IoT) offer a completely new perspective where every networked device can also be a retail gateway. In this new and connected world, customers want to pay directly and conveniently which will lead to the development of a veritable and comprehensive Internet of Payments. Methods of multi-factor authentication, including those based on biometrics, can help make the online retail environment more secure and eliminate the fears of potential users.
In order not to be overrun by e-payment developments, merchants should rely on the help of a service provider who has future-oriented solutions in place that can be integrated with existing systems so they are well prepared for a fully networked future without the nuisances of passwords.