Passwordless Security Guide

Digital transformation initiatives often prompt the decision to go passwordless for large-scale consumer applications. Such Business-to-Consumer (B2C) and Customer Identity Access Management (CIAM) use cases are often where passwords create the most pain and remain the #1 cause of breaches, with some alarming statistics:

• $1.7B in Account Takeover Fraud last year, having doubled since 2015
• More than 56% of consumer banking traffic is malicious login attempts
• The adoption of 2-Factor Authentication has stagnated in the past 4 years

The decision to eliminate passwords makes perfect sense because it directly supports both increased security and an improved customer experience. In fact this is one of the rare occasions where security and business teams will agree. Passwordless CIAM initiatives assemble cross-functional groups. These include design, user experience, cybersecurity, and software engineering teams who will be impacted by, and participate in, its integration.

Retail banks, social media companies, Internet service providers, insurers, and online email vendors are good examples within this deployment category. They are deploying passwordless authentication for consumer-facing mobile and web applications by integrating the HYPR SDK. The result is a phishing-resistant login experience powered by the user’s mobile device that is also extended to the web and desktop.

Strong Customer Authentication & PSD2 Compliance

Firms doing business in the European Union must comply with the Payment Services Directive (PSD2) regulations. PSD2 Guidelines describe the use of “separated software execution environments” such as a mobile device or secure element as being necessary for achieving Strong Customer Authentication (SCA). The implication is that password-based authentication is insufficient to secure consumer transactions – especially legacy MFA that relies on shared secrets (e.g. OTP) or lacks a separate execution environment for key storage.

HYPR provides a fast and simple way to meet PSD2 compliance by eliminating passwords and shared secrets. This passwordless approach to Strong Customer Authentication (SCA) is trusted by industry leaders such as Mastercard to prevent credential reuse, enhance the customer experience, and achieve compliance.

Digital Banking & Transaction Approvals

The banking industry has been at the forefront of passwordless innovation, with some of the world's financial institutions contributing to the FIDO specifications and deploying the technology. Two key drivers of this adoption are enhanced user experience and mitigation of account takeover fraud.

The advent of online banking dramatically improved the convenience of personal and business finance management. While it should be straightforward to log into an online bank website, this is not always the case. Since lost or forgotten passwords are a common root cause for most cases of inability to view online banking information, passwordless has become an essential driver of improving the digital banking experience.

The prevalence of account takeover fraud (ATO) has been a major reason to eliminate passwords. Credential stuffing attacks have spiraled out of control, with malicious login attempts accounting for more than 56% of consumer banking traffic.

The use of multi-factor authentication (MFA) reduces ATO risk but it undermines usability and decreases transaction velocity. Today banks view passwordless MFA as the natural next step in improving digital security, reducing ATO fraud and enhancing the customer experience. See a demo of an online bank authentication without passwords.

Payments & eCommerce

Customers habitually reuse passwords across services. This poses a widespread security risk because credential harvesting has a domino effect that impacts organizations worldwide.

Unfortunately businesses have been reluctant to add layers on top of passwords; according to Mary Meeker’s 2019 Internet Trends Report, the number of websites supporting Two-Factor Authentication (2FA) had dropped to 52% — with participants citing friction as an adoption blocker.

A passwordless experience directly addresses these usability challenges and reduces the likelihood of cart abandonment during transactions. As such, notable eCommerce giants such as Rakuten and eBay have made passwordless authentication available to millions of customers. By enabling passwordless payment experiences these businesses are protecting themselves and their shoppers from large-scale credential reuse attacks while advancing core business goals.

Call Center & Customer Support

Any type of support center will measure success in two areas: productivity of the support workforce, and satisfaction for customers needing assistance. In each case, the removal of friction in workflow is an important enabler of a high-quality interaction, especially in call centers with traditionally long wait times. When passwords are part of this process, it is clear that passwordless methods such as mobile PUSH should be considered to improve both worker productivity and customer satisfaction.

A potent example of this use case in action is VHI Healthcare. Ireland’s largest health insurer approached HYPR with the goal of increasing mobile app adoption by enhancing the digital customer experience. The insurance leader made mobile, web, and call center authentication much faster and easier by allowing people to authenticate without a password. How did VHI Healthcare enhance call center authentication by removing passwords?