Passwords have become a double-edged catastrophe for online authentication. On the one hand, they have done little to stem the tide of data breaches and cyber attacks that has hit the banking and payments industry hard over the last year. On the other hand, they are a source of frustration for users and customers that interrupt a smooth customer experience. Plus, people have so many passwords now it seems impossible to remember them all.
“Passwords make everyone crazy. Every time I see a username and password screen, I know I just lost the next three to four minutes of my life,” David Schropfer, CEO of Anchor ID, one of the companies presenting at Finovate, summed up during his demonstration.
Anchor ID was one of several Finovate presenters this week that aimed to disrupt the username and password paradigm. Anchor ID offers users a single username ID for every site they log into. When that ID is entered into the username field on a login page, instead of filling in a password, the user clicks the login button. The user then gets pinged on their mobile phone by the Anchor ID app to confirm their sign in. Additional authentication factors like a PIN and biometrics can be layered on. Only after authenticating with the mobile device will the user be allowed to begin his web session.
Another problem with passwords is that because people have so many of them, they choose ones that are easy to remember, and those are typically easy for criminals to figure out. “That convenience factor leads us to use weak passwords,” Anothony Anolino, chief marketing and business development officer of EyeLock, commented during his Finovate demo.
EyeLock uses a camera sensor powered by the computer’s USB port to authenticate users by scanning their irises. The solution has a module enabling it for use with other devices, including ATMs, and offers application management software to manage which websites to use the sensor for. “CISOs and security officers won’t have to manage passwords any more for their employees. The iris scanner can replace all those passwords,” Antonilo said.
[For more of our Finovate coverage, check out: Finovate Presenters Deliver on Omnichannel Banking.]
Another company, BioCatch, showcased a “passive authentication” solution that authenticates without the user having to take any action. BioCatch creates a unique profile for each user based on measurements of the user’s device behaviors -- how they typically scroll down a webpage (using the mouse vs. the arrow button) or how they swipe on their smartphone.
“Different people have different online traits, such as where you usually click on a button on a webpage. We can measure how you hold, swipe, and scroll down on a device, and replace high friction controls that are currently in place… People want more security, but they don’t want to be hassled by it,” Uri Rivner, BioCatch’s co-founder and VP of business development and cyber strategy, explained.
New security methods like biometrics, multi-factor authentication, and geo-location should get a hard look from the banking and payments industry, which has suffered high losses because of the failure of passwords to keep criminals at bay. Criminals may find ways to break these authentication methods as well, but financial services providers can’t afford to do nothing in the current threat environment. It’s time to invest in the deployment of new technologies that improve both security and user experience. It’s time to kill passwords.
[Learn more about the Internet of Things at Interop's Internet of Things Summit on Monday, September 29.]
Jonathan Camhi has been an associate editor with Bank Systems & Technology since 2012. He previously worked as a freelance journalist in New York City covering politics, health and immigration, and has a master's degree from the City University of New York's Graduate School ... View Full Bio