Passwords are the most common means of user authentication. However, they’re also inherently insecure. The problems with passwords have been known for decades, but many organizations still rely on systems where customers use the same weak passwords for multiple accounts.
Passwords are also not user-friendly. Most people have dozens of online accounts and have been told to create unique, strong passwords for each account. Managing, recalling, and entering all of these passwords makes the authentication process cumbersome for users.
Traditional password authentication has also failed e-commerce and leaves it vulnerable to account takeover fraud and breaches. Some of the most common threats enabled by password-based authentication include:
- Bot Attacks: Bots can automatically test if online accounts use weak or reused passwords with brute force attacks. As a result, bot traffic is on the rise as cybercriminals use this technique to gain access to user accounts.
- Credential attacks: Phishing, credential stuffing, and rainbow table attacks are all common hacking methods used by malicious actors to access a customer’s account using passwords they’ve been able to guess or find on the dark web.
- Data breaches: Password-based authentication requires the storage of sensitive authentication material (typically password hashes) in an organization’s databases. If a company’s systems are compromised, this data can be stolen and misused by an attacker.
- Account takeover: Cybercriminals can gain access to user passwords in a variety of different ways. Once a password is breached, the attacker has full access to the user’s account.
Passwords aren’t working for the modern business, but there are other options. Switching to an alternative authentication method can improve e-commerce security and the user experience, but some are better than others for the security of your organization and customers.
1. One-time codes, push notifications, and magic links
Many of the authentication methods branded as “passwordless” are not actually passwordless, like one-time codes, push notifications, and magic links. These methods enable a user to authenticate to a service by providing a code or clicking a link sent to a device or account that they own.
However, while the password is eliminated from the user experience during authentication, these accounts often still have passwords associated with them in the application database. The reason for this is that if the user loses access to their device or account, they need a backup means of authentication for recovery.
Not only do these methods fail to eliminate the password and its associated security issues, like SIM hijacking, malware, and notification flooding attacks, but they also have significant downsides, including:
- User experience: These forms of authentication often require access to a second device or opening another application every time that a user logs in, which makes authentication more difficult and less user-friendly as you don’t always have your second device on hand. Oftentimes you’ll need your second device to log into every application you need to access. Also, If the service goes down or is slow to deliver, then there is nothing that the company can do to fix the problem.
- Security: Many of these services use SMS and emails to deliver the authentication material. SMS has been deemed insecure for years due to SIM swapping attacks, vulnerabilities in the mobile SS7 network, and the potential for codes to be compromised via man-in-the-middle attacks or social engineering. Emails can be hacked using stolen credentials from the dark web.
- Cost: Per-message pricing for sending SMS verification codes for popular vendors can quickly add up.
2. Passwordless MFA
Multi-factor authentication (MFA) requires users to employ multiple factors to authenticate to their account. The three options for MFA factors are “something you know,” “something you have,” and “something you are.”
Most MFA systems use a combination of “something you know” (i.e., a password) and “something you have” (such as a smartphone), but this traditional approach to authentication has many downsides. Passwords are inherently problematic, making them a weak factor, and requiring a second device to access a native or web application ruins the user experience.
The ideal implementation of MFA uses two strong factors from the “something you have” and “something you are” categories. Additionally, this “something you have” should not be another device used to generate or receive a one-time code. For example, users can be authenticated based on their possession of a trusted device (“something you have”) combined with user authentication via device biometrics (“something you are”).
Passwordless MFA addresses the major downsides of other “passwordless” authentication methods:
- User experience: Users are already using the trusted device, and authenticating via a fingerprint scan or facial recognition is much easier than typing in a password.
- Security: Passwordless MFA eliminates the risk of a compromised password or a code or magic link being intercepted by an eavesdropper.
- Cost: Passwordless MFA does not require sending SMS or emails, eliminating per-message costs and potential delivery risks for retailers.
Learn more about passwordless MFA vs one-time codes.
3. Adaptive risk-based authentication
Passwords only offer a single, and weak, layer of authentication. Moreover, once a user authenticates, most organizations don’t have a good way to evaluate risk signals and increase identity assurance on a case-by-case basis. However, a user’s level of risk is not static over time and operations within an application carry different risks. For instance, a user can jailbreak their device and unwittingly install malware. Additionally, browsing an online catalogue carries less risk than updating contact information on an account or viewing a saved payment method.
An adaptive, risk-based authentication system allows you to tailor your authentication system to the user’s current state of risk. An authentication portal can collect risk signals before authentication and then select an appropriate authentication process based on this information and corporate security policy. For example, users viewing data in an app may be authenticated simply by device possession, but changing payment settings requires a second level of authentication via device biometrics.
Adaptive risk-based authentication provides a balance of usability and security. When performing low-risk activities in safe environments, users should not be burdened with complex authentication processes. However, if there is cause for concern, a dynamic prompt for biometric step-up authentication provides higher assurance when needed.
This type of dynamic authentication addresses the many issues with other authentication experiences:
- User experience: It provides a seamless authentication experience for the end user, and there is an option to ask for step-up verification if needed.
- Security: Risk-based authentication adapts to the behavior and security posture of the device, which allows for teams to quickly react to abnormal behavior. It elevates the assurance of an authentication.
- Cost: It avoids the drop-offs that MFA can cause, it lowers the risk of fraud (and the cost of fraud continues to rise), and it avoids the costs of SMS texts, one-time passwords, and out-of-band authentication.
Eliminate password-based attacks and implement a more secure solution for customers
Nobody likes passwords. Passwords stink. Remembering and entering unique passwords into each online account is a pain for customers and most look for loopholes, like adding an exclamation point to the end of their reused password. In doing so, they put their own data and e-commerce companies at risk.
Passwordless authentication offers a more secure and customer-friendly alternative for e-commerce. Learn more about streamlining your authentication process and eliminating password-based attacks for customers by getting a demo.