Customer authentication is a critical component of almost every application that exists, and as the gateway into your products and services, it impacts 100% of your customers.
Additionally, businesses must navigate a precarious environment in which customers have increasingly demanding expectations for digital experiences, regulatory bodies are proposing ever expanding regulations, and fraud and data breaches are costing organizations more and more, with mega breaches averaging $401 million per breach—to say nothing of the long-term deterioration of brand trust.
Passwords create friction in the customer experience and, according to the Verizon Data Breach Report, accounts for over 80% of breaches. Given this reality, it’s no surprise that companies are re-evaluating their use of passwords as an authentication method.
Passwords’ insecurity problem
Passwords are fundamentally insecure because they are a “shared secret” (i.e., a secret that’s shared between the service provider and the user). The fact that both the service provider and the user know this shared secret creates two attack surfaces. Customers are susceptible to phishing, brute force, and credential stuffing attacks. Companies are vulnerable to their databases being targeted by bad actors intent on accessing user information.
The insecure nature of passwords has fueled the steep and chilling increase in ATO over the past three years. In 2018, account takeovers tripled, costing businesses $5.1 billion. 2020 saw an incredible 292% jump in account takeover fraud, and so far in 2021, account takeovers attempted increased by 80%. At the root of account takeover fraud is the password problem. Attackers compromise customer accounts with phishing attacks, credential stuffing with purchased password credentials, or brute force attacks with bots. And the fact that password reuse is common practice only exacerbates the problem.
Customer experience issues
Password requirements also introduce friction, which causes visitors to not complete registration and returning customers to drop-off during login, lowering both acquisition and engagement rates.
And efforts to make passwords more secure by adding complexity, change frequency, and length only add additional friction with very limited upside (i.e. does a scammer who phishes your password care if he steals a 10-character password versus a 100-character password?). But this added friction results in a meaningful downside for many businesses, evidenced by 46% of US consumers failing to complete a transaction due to forgotten passwords and issues with password resets.
But what about multi-factor authentication (MFA)?
The market has conditioned us to believe that the way to increase security is by adding more authentication factors on top of the password. But this is a Band-Aid solution. It doesn’t solve the root of the problem, the password, and the risks that come with shared secrets.
Additionally, most multi-factor solutions use authentication methods that have their own security risks. There are known issues with mobile push notifications, where end-users absentmindedly click “yes” to allow unauthorized users in. Out-of-band authentication methods like SMS one-time passcodes (OTP) or phone calls can be compromised via SIM swapping or man-in-the-middle attacks and customers can be phished.
On the customer experience side, requiring a second device introduces a tremendous amount of friction. In fact, Google research captured the general Americans’ attitude towards MFA as “thanks, but no thanks” with only 37% of Americans using MFA due to the added friction.
No password, no friction, no problem with Beyond Identity
Beyond Identity is the first company to deliver an innovative and practical implementation of asymmetric cryptography and X.509 certificates that completely eliminates passwords for customers and from the database across native mobile and web applications.
Every authentication is multi-factor by default without the need for second devices, OTPs, or push notifications. Instead of passwords, Beyond Identity authenticates with two strong factors—“something you are” from the local device biometric and “something you own” via possession of a private key.
This effectively shuts the door on ATO because that which doesn’t exist cannot be stolen and passwords can be completely deprecated from the customer experience and database storage. And by replacing passwords with tamper-proof credentials stored on the Trusted Platform Module (TPM) of all modern devices, Beyond Identity removes the burden of authentication from customers so they can enjoy secure, zero-friction passwordless MFA without any hassle.
Take the first step towards zero trust with Curity and Beyond Identity
OAuth and OpenID Connect are standards that are fundamental in dealing with protecting APIs. The approach of using tokens to protect APIs work well for both services and users accessing resources. A token based architecture also maps extremely well to handling a zero trust architecture.
Curity provides a robust token-based architecture to achieve solid protection of APIs and a zero trust architecture. However this story can quickly become undone when organizations implement weak first- and second-factor authentication. In most cases, the same token is issued whether you authenticated with a password and OTP sent via email/SMS or whether you used a strong factor like Beyond Identity.
You’ll often hear the phrase layering on security doesn’t make it better security. Malicious actors can now easily utilize many different tools to bypass password first factor and OTP second factor which would mean they now have a token to make requests to your APIs...not ideal.
With Beyond Identity's passwordless authentication we not only completely remove the reliance on passwords, but we cryptographically bind a credential to the device within the secure enclave/TPM, which is fundamentally more secure than password and OTP combined.
If the authentication method used is fundamentally secure, then the tokens the Curity Identity Server issues for API Authorization are therefore much better protected allowing organizations to meaningfully move towards zero trust architecture. When a token is issued after Beyond Identity completed the authentication, you can be confident that it is the user they are claiming to be as the users credential was bound to their device, meaning only the user in possession of that device and with their biometric registered to the device could have completed authentication.
Here’s what you can expect from the Beyond Identity integration with the Curity Identity Server
- Eliminate credential-based attacks to better protect your APIs and data against malicious actors
- Frictionless, passwordless customer authentication experience to accelerate registration, login, and recovery
- Fast deployment with a simple OIDC configuration
When it comes to the customer authentication experience, the best experience is no experience at all. See how Beyond Identity and Curity can enable this for your customers.
Get started today
To get started with Beyond Identity for Curity, visit https://developer.beyondidentity.com/docs/integrate-with-curity.