Passwordless authentication
Banking & Payments Federation Ireland (BPFI) webinar on the importance of authenticating identity via the mobile phone
July 1, 2021
Market Research Future – Identity Market Evaluation Report
August 17, 2021
Entering an age of passwordless security
A shift towards passwordless security
In today’s digital-first world, there is mounting pressure for enterprises and governments to combat the threat posed by cyber-criminals. With cybercrime costing the global economy more than $1 trillion last year, Steve Grobman, CTO of McAfee comments that “the severity and frequency of cyberattacks on businesses continues to rise as techniques evolve and new technologies broaden the threat surface”.
The increasing use of passwords is continuing to leave people more vulnerable to cyber-attacks. According to Microsoft, 81% of hacking-related breaches last year used either stolen or weak passwords. It is proving difficult for companies to manage the increasing security complexities around sign-ins and authentications while providing a seamless customer experience.
Today, IT security departments are moving toward passwordless authentication through the use of advanced technologies such as PIN’s which fall under the area of Mobile ID. Mobile ID refers to technology that uses and analyzes mobile network capabilities to enable end user identity verification. This identity verification facilitates the prevention of fraudulent activities.
What is the issue with passwords?
When users are constantly forced to generate new passwords for new websites and applications, they tend to start cutting corners and passwords become re-used over time. Even though easy-to-guess and weak passwords are a major issue when it comes to cyber-attacks, business have yet to remove them fully from the authentication process. This issue was highlighted in Verizon’s 2020 Mobile Security Index (MSI) as they noted that 21% of organizations that were compromised by cyber-attacks cited rogue or unapproved applications as contributors to the incidents.
They are instead adopting two-factor authentication (2FA) which requires the user to satisfy two out of the three following data points in order to be successfully verified:
- Something they have such as a mobile device
- Something they are which may be a biometric reading such as a fingerprint scan
- Something they know which currently remains a password or more securely, a PIN.
This practice can be seen at the regulatory level with Payment Service Directive (PSD2) bringing stricter requirements for customer authentication, called Strong Customer Authentication (SCA). PSD2 regulation requires MFA to be implemented for online transactions.
How is passwordless authentication going to work?
Passwordless authentication is a form of multi-factor authentication (MFA) but instead of using a password as a factor which the end-user knows, a more secure factor is used such as biometrics, mobile phone verification or a PIN which represents the possession element of 2FA. This process can be recognized under the heading of Mobile ID which is at the heart of the digital economy. It is an extension of digital identity provided via mobile networks or devices.
By choosing to replace passwords with a more robust authentication method, an enterprise can make user access to their resources more secure. Enabling MFA allows IT teams to manage access at the individual user level, defined groups, or even by job role.
Mobile ID acting as a ‘never trust, always verify tool’
Mobile ID utilises the possession element of 2FA. This allows companies to determine whether they are interacting with the owner of that mobile device or not. According to Forbes, Phone-Centric Identity is one of the key drivers in the shift toward passwordless authentication as the new reality for any enterprise is that mobile device identities are the new security parameter. Similarly, to what McAfee CTO, John Grobman noted about the increase in fraudulent threat surfaces, Mobility devices ranging from smartphones to tablets are ‘exponentially expanding the threat surfaces that enterprises need to secure’. Instead of relying on passwords to provide end-user authentication, the possession factor that is represented under the umbrella of Phone-Centric Identity can provide a ‘never trust, always verify’ approach. This would require verification from the device, end user, and evaluation of the threat presence before granting access.
Mobile device in modern passwordless authentication
The mobile device is increasingly becoming the core of our everyday transactions and interactions. We see this from the onboarding of banking customers and through various e-commerce activities. Authenticating the mobile phone subscriber is the modern way to validate identity. Customers want background verification and businesses want the verification experience to be seamless to minimize drop off rates.
Implementation is key in this instance however as MFA can easily lead to more complexity especially to the user experience. The key issue when moving away from passwords and towards MFA such as the implementation of Mobile Identity is striking the balance between delivering a seamless user experience while balancing your enterprises security risk.
Phonovation provide Mobile Identity Verification
Our patented Mobile ID solution provides an PSD2 compliant API into the physical mobile network to help you monitor your customers mobile Identities in real time which enables your business to securely and seamlessly authenticate millions of customers, protecting you and your customers against fraud online.
At Phonovation, we ensure your customer experience is not compromised but rather optimised as our solution provides a seamless customer journey by permitting an SMS OTP to meet the possession factor and fulfil the dynamic validation of SCA.
To find out more, reach out to us HERE or call us on +353 (1) 284 30 11.
