Digital Transactions Authoritative, insightful and timely information for payments professionals
The password is one of the oldest authentication tools known to man, and now it is rapidly becoming the least respected among security experts for use online or in-app. Consumers’ use of easily guessed codes, coupled with a recent barrage of data breaches, has these experts predicting passwords will fade out within nine years.
That’s one result of an April survey of 600 security professionals with large and mid-size companies, the results of which were released just before the July 4 holiday weekend. Some 36% predict passwords will be passé within four years, while an equal percentage say it’ll taken five to nine.
Today, however, the password is still the most commonly used authentication tool, with 74% of the experts saying their companies use a form of password protection. That handily beats the No. 2 method, knowledge-based authentication, which logged a 50% usage rate. “Although imperfect, passwords are here to stay for the foreseeable future,” says a report based on the survey results and released by TeleSign Corp., a Marina del Rey, Calif.-based vendor of mobile-authentication technology that commissioned the research.
Most of the surveyed security experts agree the password’s effectiveness in authenticating online and mobile users, and in combatting fraud, has eroded sharply in recent years. Indeed, while nearly three-quarters of their companies use passwords, most combine them with other factors. Just 7% use them exclusively. Fully 69% say user names and passwords alone don’t do the job.
These security professionals have had to deal with the consequences of a wave of data breaches, from which criminals have harvested a trove of information allowing them to access passwords and pose online as legitimate consumers in what is known as an account-takeover fraud.
“The theft of hundreds of millions of consumer records by hackers has made account takeover a significant threat,” says the report. “Fraudsters use stolen consumer credentials to access accounts to launch phishing attacks, withdraw money, make unauthorized purchases, harvest virtual currency, and conduct other malicious activities.” Some 28% of the companies surveyed have sustained such a fraud, and 79% report being very or extremely concerned about it.
In part because of this concern, newer methods like behavioral biometrics are gaining adherents among security professionals. With behavioral biometrics, firms monitor such factors as keystroke pressure, mouse movement, and screen interaction to see if they match a known profile for the user. Some 22% of respondents say they have already adopted the technology, while another 18% plan to this year. The biggest barrier to adoption for those not planning to add behavioral biometrics is cost, according to the survey.
Another promising technique, according to the report, is two-factor authentication. With this method, users are asked to enter a code sent to their mobile device. The code is required in addition to a user name and password. Forty-one percent of respondents report having adopted this technique, while another 40% plan to adopt it over the next 12 months.
