Passwords — and even one-time passcodes (OTPs) — render us vulnerable to fraudsters, which has always been so.
The fraudsters are stepping up their attacks as we live more of our lives than ever online.
Gerhard Oosthuizen, chief technology officer at Entersekt, and Mike Storiale, vice president, innovation development, at Synchrony Bank, told PYMNTS that the most common ways of confirming individuals’ identities are not all that effective at protecting us. But they remain stubbornly entrenched — and people tend to juggle many passwords, while the businesses that interact with them tend to push OTPs at them with abandon.
The question remains: Why should it be so?
The question is timely, as the duo told PYMNTS that the fraudsters have become relentless. Oosthuizen remarked that there are “about 20” attack vectors that continuously pop up as bad actors pilfer sensitive information. Phishing scams are still a favorite. Social engineering, of course, is an evergreen concern.
As to why passwords are still in the mix:
“I think it’s because many people don’t know any better,” said Oosthuizen. And so we add layers of what we hope are protection, switching up passwords, forgetting them often, and encountering friction in the online realm.
“The username and OTP [combination] is terrible,” he said, adding that “you have to wait for the OTP. You have to remember the password. You have to hit a reset button every third password — and many of us have a hundred passwords to manage. So, although they are less than ideal, Storiale said, OTPs are among the few methods that have been able to authenticate someone when you do not know who they are.
But as Oosthuizen said, technology is available that can do better. He noted that Big Tech, including Google and Microsoft, have embraced passkeys as options alongside passwords and two-step verification. And, as both Storiale and Oosthuizen agreed, deterministic signals and authentication bolstered by device-level data can help authenticate consumers while forging a streamlined experience.
“Ultimately,” said Oosthuizen, “the consumer follows convenience.” With some education and outreach on the part of the bank, consumers can be prodded to look beyond passwords — and the positive ripple effects can accrue throughout the commerce ecosystem. The issuer need not introduce friction into the equation or decline a card transaction if unsure of identity (statistics show that consumers who encounter friction will stop using a particular card). As a result, the issuer gets interchange revenue. The merchant closes the sale. And the consumer remains loyal to both.
Asked by PYMNTS about how financial institutions (FIs) and providers are making strides toward educating consumers and making the technological changes to make passwords a thing of the past, Oosthuizen said that there’s been “an infrastructural change that’s happened over many years.”
The FIDO alliance is one example, he said, where a consortium approach has helped shift participants to authentication standards — now supported by roughly 80% of the world’s browsers and operating systems. In addition, there’s at least some groundwork already laid. He said, “we’ve become familiar with locking our phones and unlocking our phones and setting up our authentic cases on the device.”
Storiale said that when it comes to digital banking, FIs must weigh the desired seamless experience against security concerns and run passkeys and other options “in parallel” with passwords OTPs. A gradual approach is the best approach, he said.
“Many of the financial institutions who are wondering how they’re going to start to implement this,” he said of passkeys, “are probably looking at that same mountain that they have to climb, which is, if I’m going to now start to make a transition, I can’t just flip a switch one day because I would have fallout.” Passkeys, said Oosthuizen, sit in a “sweet middle spot” where most consumer journeys could be facilitated by a simple face ID or a simple touch ID, as passkeys tie several devices together.
Looking ahead, Storiale and Oosthuizen said consumer interactions with FIs can be reminiscent of visiting a branch years ago — where the consumer was known on sight. And the data accompanying the individual, right down to the device and biometrics level, can help FIs anticipate what the customer might need next.
As Oosthuizen told PYMNTS, the authentication and context “remains continuous … and it feels natural. We can gradually adjust the journey depending on the familiarity of the customer … and the knowledge we have about the risk they are exposed to. All that needs to be blended together.”