Usernames and passwords have been the gold standard of online security for as long as most people can remember. And for some, it’s the only security measure they’ve experienced. The majority of bank, agency, social media and retail store accounts are all password protected. According to Experian’s 2019 Global Identity and Fraud Report, passwords remain one of the authentication methods most widely used by businesses. But is that the safest and most effective means to safeguard information online?
The short answer is no.
With the sheer volume of stolen identity records available on the dark web, consumers are continually exposed to a high risk of fraud at an account or, even more critically, an identity level. And, given their direct exposure via data breaches, passwords provide little-to-no protection; just a mere false sense of security. Many criminals also leverage compromised identity data and reverse-engineer usernames and passwords to access and takeover people’s online accounts – leading to unauthorized transactions and billions of dollars in fraud losses.
The trouble with passwords is more far-reaching than just one compromised account. Account takeover fraud can be an endless attack on an individual. Many people only use one or two passwords for most accounts, so oftentimes access to one account leads criminals to multiple online accounts under the same user. In fact, the report found 55 percent of businesses reported an increase in online fraud-related losses in the last year, predominately around account origination and account takeover attacks.
But, the shortcomings of passwords extend beyond security. They create a cumbersome and frustrating experience for many consumers. In fact, we found the top two barriers consumers encountered when banking online were forgotten usernames and passwords, as well as being locked out for mistyping a password too many times. Most, if not all, consumers can relate to the painstaking process of resetting a password. And in a world driven by security and the consumer experience, passwords have made it difficult for businesses to keep up.
Fortunately, there have been many advances in analytics and technology to help businesses accomplish the best of both worlds: security and convenience. It’s a move toward more intelligence and less interaction on the consumer’s behalf. Innovative technologies, such as machine learning and artificial intelligence, applied to an increased breadth and depth of identity and transactional histories have made it possible to seamlessly detect patterns and anomalies that could help businesses more accurately identify and separate good consumers from fraudsters.
There are also new attributes of a person’s identity that many businesses need to consider as they work to safeguard customer information. These include physical and behavioral biometrics (fingerprints, voice recognition, retinal scans, online or mobile page navigation tendencies, etc.), device intelligence (device characteristics), digital behaviors (transaction behavior, purchase anomalies) and document verification (autofill, liveliness detection). Many of these techniques are passive in nature and require little-to-no consumer interaction, while providing improved fraud detection and identity management.
For example, an individual may want to send $300 to another individual via mobile device. While the consumer may need to use their fingerprint to authorize the transaction, there will be additional checks behind the scenes to verify the authenticity. These checks could include whether or not the transaction is out of the ordinary; is the device one that is associated with the individual; how is the person holding the device. Combined, these advanced measures protect the individual with minimal interference with the transaction.
But, while these innovative approaches to identity management and authentication can help businesses make the right fraud decisions and protect people’s identity, it is important to keep in mind that a silver bullet for fraud detection does not exist. Just as passwords should not be viewed as a sole means of account protection and authentication, neither should these methods. Alone, these methods give a glimpse into a person’s identity, but combined, these methods paint a complete picture – providing the confidence needed to authenticate individuals.
In time, passwords will be a thing of the past. And, as we continue to evolve and stay ahead of criminals, we will need to uncover new components of an individual that can be used to authenticate and protect people. Data and technology are integral parts of that process. It is the businesses that recognize the need and refine the approach that will be positioned to provide a positive customer experience, safeguard information and improve the bottom line.