Are Passwords Here to Stay?
By David Lott, Federal Reserve Bank of Atlanta
Payment security professionals generally agree that most consumers do not voluntarily adopt strong security practices in selecting and managing their passwords. Consumers often select easily guessed passwords and even use the same password across numerous websites. Given these tendencies, the payments industry is looking for alternative authentication methods that either consumers could adopt or the industry could perform covertly—methods that would ultimately provide for a higher level of customer authentication.
The Aite Group conducted a research study earlier this year to understand consumer knowledge of and attitudes regarding other authentication methodologies. The survey participants read a brief description of alternative authentication methods and then answered a series of questions regarding their attitudes about the ease of use and willingness to adopt these alternatives. Some of the authentication methodologies reviewed were:
- Fingerprint biometric
- Device location
- Eye vein biometric
- Facial recognition
- Device fingerprinting/identification
- KBA (knowledge-based authentication, or personal data challenge questions)
- Two-way text message
- Voice-recognition biometric
The participants were asked to rate the ease of use for the alternative methodologies. The table shows the percentage of respondents rating the methodology as “very easy” or “somewhat easy.”
|% of Respondents Rating Very Easy or Somewhat Easy|
|User ID / Password||93%||90%||93%||95%|
All age segments rated the user ID and password as the methodology having the greatest ease of use. All the groups ranked the eye vein biometric low in user ease; voice and facial recognition also scored low across the segments.
One key finding, which points out the continuing need for consumer education, was that many people did not understand the various alternative methodologies, even after reading a description and the pros and cons of each. Seniors were more likely to respond “Don’t Know”; millennials indicated a greater level of understanding.
Which Carrots Work? Of particular interest, the study probed the ability of a financial incentive to entice customers to agree to adopt additional authentication tools. Just over half (51 percent) of the respondents indicated they would agree to additional authentication tools without any financial compensation. Offering a one-time $10 cash bonus would result in an additional 15 percent, and upping the ante to $25 would bring in 9 percent more. One-fourth of the respondents indicated they wouldn’t sign up for additional authentication with or without an incentive. Seniors are the least likely group (33 percent) to adopt additional authentication without an incentive, and millennials are the most likely (62 percent).
While the level of resistance by consumers to adopting stronger authentication processes seems to be dropping, there remains a strong need for customer education to demonstrate the benefits over any inconvenience. Meanwhile, a number of financial institutions and merchants are using covert authentication tools such as transaction-pattern anomalies and risk-based transaction scoring based on historical fraud experiences.
The survey report demonstrates that passwords are likely to be around for quite some time as a basic means of authentication, meaning that the payments industry and consumers must work together to provide a higher level of security for transactions
David Lott is a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed. This article originally appeared on the reserve bank’s blog Take on Payments. He can be reached at [email protected].
In Viewpoints, payments professionals share their perspectives on the industry. Paybefore presents many points of view to offer readers new insights and information. The opinions expressed in Viewpoints are not necessarily those of Paybefore.