The passage from passwords to other alternative or additional forms of identity verification, especially in financial services, has been a slow one. But, like some rough beast, it seems like biometric authentication is finally slouching toward Bethlehem, according to a study released this week.
For at least two decades, U.S. financial institutions have been pushing for customers to embrace new forms of authentication in addition to passwords, including biometrics or hardware tokens, or even to replace the use of passwords or PIN codes all together. But consumers, and even small businesses, contentedly entrenched in the password habit and emboldened by FDIC security and card protections (which means they will not usually be on the hook for losses), have been slow to adapt.
Indeed, nearly 1 in 5 consumers (19%) still believe that simply strengthening their password alone is the “best way to secure their accounts,” according to the latest data from the Online Authentication Barometer, released by the FIDO [Fast IDentity Online] Alliance Monday during the Authenticate conference in Seattle. Another 11 percent believe that one-time passwords are the most secure form of authentication. The study is based on a survey of consumers in 10 countries.
Meanwhile, other, arguably more secure authentication methods still do not register. Among the respondents, approaches like authentication software and hardware security tokens were viewed as the best authentication methods by 6 percent and 4 percent of consumers, respectively. And more than one-third (37%) of respondents said they do not know how to improve their online ID verification, and 1 in 4 (26%) said it is just ”too complicated” to use alternative forms of authentication.
“People still like passwords,” Andrew Shikiar, executive director and chief marketing officer for the FIDO Alliance, said in an interview. “But they are gradually moving toward using biometrics.”
More than half of respondents to the FIDO survey (56%) admitted they’ve used passwords alone to log onto their financial services accounts within the past two months, despite the growing availability of other, more secure forms of ID verification. This has been true even in the face of the growing number of financial institutions large and small — from Texas’ Woodforest National Bank to nationally operating Bank of America — offering the use of secondary authentications to protect customers’ accounts and personal data.
Dave McKnight, principal at Crowe LLP, pointed out that “the prevalence of a technology is directly contingent to its ease of use … arguably, non-password factors and their adaptations for authentication require excessive steps for an average organization or consumer to successfully adopt.” Also, within the financial services sector, the onus is largely on the bank, credit union, card issuer or investment firm to “conform to regulation and law pertaining to the security and sustainability of consumer data,” McKnight said. Hence, most financial customers fall back on simple legacy passwords.
However, having solid authentication at the customer end has long been a weak point — even as people have been utilizing fingerprint recognition on their mobile phones and tablets, and experiencing facial geometry and even iris scans at their workplaces. One-quarter of those people surveyed are using biometrics in some area of their life, according to the report.
“The next step is bringing it into the browser itself,” said Shikiar. Aside from the growing regulatory pressure, financial institutions are increasingly promoting the concept that “maintaining a password that cannot be easily guessed or decrypted continues to be a worthwhile method to guard access to the websites and online accessible services. [However] password diligence should always be paired with enrolling in all available alerting.”
The survey did offer some promising feedback. Consumers are slowly starting to embrace biometric authentication in terms of “perception and use,” said Shikiar. Roughly one-third (32%) of respondents do, in fact, believe that biometrics is the most secure form of authentication, and 28 percent said it is their favorite method.
“We’ve been talking about biometrics for some time, and we know that users need to feel comfortable with it to use it,” Shikiar said, adding that banks, especially in the European Union, have been increasingly developing standards to encrypt data and transactions en route.
The bottom line, according to Shikiar, is that “we need to get away from only using passwords. … What’s in your head increasingly can be stolen.”
To create the initial FIDO Alliance Online Authentication Barometer research, Sapio Research surveyed 10,000 consumers across the U.K., France, Germany, U.S., Australia, Singapore, Japan, South Korea, India and China in September 2021 via an online survey.