Voice of the Industry

Goodbye passwords, passwordless authentication is here to stay

Monday 19 October 2020 10:11 CET | Editor: Simona Negru | Voice of the industry

By 2022, Gartner predicts that 60% of large and global enterprises, along with 90% of mid-size enterprises, will implement passwordless authentication methods in over 50% of use cases, up from 5% in 2018, Srividya Sunderamurthy from Vesta debates.

Let’s explore the basis for this prediction and the future of passwordless authentication.

Account Takeover (ATO) fraud is becoming a bigger challenge by the day. It has impacted every vertical from ecommerce to digital wallets, online banking, telecommunication, and healthcare. Fraudsters continually exploit every possible avenue to obtain and use PII.  Once they have your data, they apply sophisticated machine learning to evolve attack strategies to stay a step ahead of fraud prevention tools. The most commonly used ATO techniques include:

  • Phishing or man-in-the-middle attacks to steal account credentials and intercept one-time passcodes to reset account passwords;
  • Credential stuffing: automated testing of stolen usernames and passwords at multiple websites with the intent of taking over a large set of accounts all at once;
  • Use of stolen or openly available data to answer Knowledge-Based Authentication (KBA) security questions.
ATO has grown to become a huge problem for ecommerce consumers and merchants alike.  In 2019, there were 7K global data breaches that compromised 15 billion user records. Nearly a third of US businesses have suffered a customer information breach. The impact has been severe.  During the recent COVID lockdown, ATO attacks surged by 43%. In the US market alone USD 6.8 billion has been lost to ATO and the losses continue to grow as 32% of victims refuse to return to a merchant  where their security was compromised. Average cost of a data breach as per IBM security is USD 3.86 million. Nearly 28K credentials are being stolen every minute.  

ATO attacks have evolved to the point where traditional password and authentication techniques are no longer keeping your data safe.

Mass compromise of passwords are the root cause of over 80% of data breaches. And have contributed to increased risk of fraud on consumer accounts and network-level attacks from credential-stuffing botnet attacks. Credential stuffing attacks are at all-time highs – with Akamai reporting more than ‘30 billion malicious login attempts in less than a year’. Malicious logins make up over 56% of consumer banking traffic, and costing the US banking industry USD 50 million on a daily basis.

Why passwordless authentication is emerging as a better option 

User authentication technologies have evolved over the years since password technology came about in 1961. Today authentication methods that rely on shared secrets are taking a back-seat to standards-based passwordless solutions that prioritize security and low customer friction. 

Different types of authentication are:

The more popularly adopted is passwordless authentication: Something you have - mobile phone, Something you are - fingerprint or FaceID.

From a recent Visa survey of 1,000 U.S. consumers, majority of respondents preferred biometric authentication to password-based authentication. The most commonly cited benefits of biometric authentication among respondents were: 

  • Not having to remember multiple passwords/PINs (50%);
  • Better security than passwords/PINs (46%);
  • Not forgetting/losing a method of authentication (33%).

How passwordless security works

The biggest difference is that the use of shared secrets such as passwords, PINs, OTP is replaced with public-key cryptography. Private keys are stored within secure enclave areas of your phone device and your smartphone’s biometric technology such as FaceId or TouchId is used to unlock the credentials and then verified against an authentication server using public key cryptography. 

The ‘Apple Secure enclave’ or ‘ARMS Trustzone in Android’ is an isolated processor built into the device. Even if your device gets stolen or gets infected with malware, the credentials stored within the secure enclave cannot be tampered without the biometric sensors which only the device owner should have: a unique TouchId or a FaceId.

Paswordless security with biometrics is the path forward for a frictionless & secure consumer experience 

Ecommerce merchants, financial services, banks alike seeking to provide a higher quality user experience and increase consumer trust in their authentication processes must look to the future and consider implementing biometric authentication.

Vesta solutions 

Vesta’s Account Protect is our newest offering and provides safe, speedy and secure online experiences for it’s customers, and is a fully orchestrated fraud protection platform that protects account lifecycle activity - from activation to activity monitoring. It incorporates passwordless authentication and comes with a fully automated digital onboarding package.

To find out more reach out to sales@trustvesta.com

About Srividya Sunderamurthy

Srividya Sunderamurthy is a highly successful product management leader who has led end-to-end product strategy and launch of fraud and AML solutions in small to medium-sized fast-paced startups and large-scale technology companies. She currently leads the product strategy within Vesta Corp.

About Vesta

Vesta is a fintech pioneer in fraud protection and fully guaranteed payment technologies, helping online merchants, major telcos, payment processors, and acquirers optimise revenue by eliminating the fear of fraud. The company’s flexible, scalable solutions enable companies to grow their businesses by focusing on revenue rather than risk, delivering secure, frictionless transactions that maximise acceptance and improve customer experience – all backed by a zero-fraud-liability guarantee.

Free Headlines in your E-mail

Every day we send out a free e-mail with the most important headlines of the last 24 hours.

Subscribe now

Keywords: Srividya Sunderamurthy, Vesta, AML, account takeover, ecommerce, fraud, PII, phishing, credential stuffing, data breaches, merchants, authentication
Categories: Fraud & Financial Crime
Countries: World
This article is part of category

Fraud & Financial Crime

Industry Events