There has been a move to replace passwords with more secure, easier-to-use alternatives for some time. So why do organisations continue to rely on passwords?
From the beginning of the digital revolution there has been a need to control shared access to computer resources, and the original authentication solution – conceived at MIT in the early 1960s – was the password.
Initially this solution worked, but as online services matured and passwords became the gateway to personal data and financial services, it became very lucrative for the bad guys to hack weak passwords or steal password data from insecure systems through brute force. Prior to this becoming a critical issue, however, passwords became the ubiquitous authentication tool for access to online services, and they remain so today.
Organisations continue to rely on passwords because they are simple and easy to deploy, allow anyone on any device to access services, do not require additional hardware and offer few compatibility issues. They became so common as an access mechanism to digital online services that pretty much all services were built around password-based access control, and as consumers we have become accepting of them (although not proficient, as the statistics around weak password use show.)
What are some of the problems this creates?
Passwords have become deeply embedded in the digital user journey, it will be expensive to replace them, and organisations need to know that whatever they replace them with is better from a security and user experience point of view. Up to now, the alternative options have not been clear.
Unpicking and replacing this technology could create significant cost to the organisation and disruption to the user, and in a world where customer digital acquisition, retention and churn reduction are key business performance indicators, there is understandable resistance to replacing them until a proven alternative is available.
In the meantime, the well-publicised issues around password insecurity and fraudulent access to services and data, financial theft and scams will remain. IBM, in its Cost of a Data Breach Report 2023 estimates that the average cost of a data breach in the UK is £3.2 million per organisation, and in a 2022 report, UK Finance reported that “over £1.2 billion was stolen through fraud in 2022, the equivalent of £2,300 every minute.”
What are some of the alternatives?
Paradoxically, the addition of second-factor authentication tools such as SMS one-time passwords, authenticator apps and physical hardware tokens have been used as alternatives to password-only solutions but have served to extend the lifetime of the password itself, creating short-term benefit but slowing the need for a completely secure replacement.
The most serious candidate yet for replacement of the password altogether is the Passkey. Driven directly by Google, Apple, Microsoft and the FIDO Alliance, this option delivers a number of security benefits over passwords, including that they will make phishing an account practically impossible, will negate brute force attacks and deliver excellent ‘seamless’ UX using biometric authentication on device.
It’ll be some time until alternative technologies such as Passkeys are mature enough to be rolled out to the masses, but the push is now serious and it’s clear that the end of the password is finally on the horizon.
How important is user-centred design in a passwordless world?
It’s critical. In the delivery of access controls to online services it’s mission-critical to find the elusive balance between user experience (driving registration numbers, successful logins and customer satisfaction scores) and security (identifying legitimate users and keeping out the bad guys.)
Effective user-centred design enables the development of usable, intuitive services based on user research and testing, optimised to ensure that a balance between user and security needs is delivered.
How is Hippo helping to deliver passwordless authentication for its customers?
Hippo has embraced the industry innovation around Passkeys to build user-centred flows for two of our key client authentication flows based on Passkey technology.
We have deployed Passkey-based biometric authentication for two of our key high-volume consumer-facing digital services (NHS Login and Virgin Red) and continue to evangelise within the business across teams to communicate rationale for development, ease of deployment and customer & user benefit of Passkey technology for the other authentication-based digital services in development at Hippo.
Have you got any examples you can share?
NHS Login is a service that Hippo defined and delivered, and we remain at the heart of the development roadmap. A Passkey option for user authentication is being rolled out, enabling NHS Login users to adopt a seamless, passwordless authentication journey if they wish to do so.
Virgin ID is the central ID verification and authentication component across different Virgin company online brands. Hippo delivered the Virgin ID solution, using password-based authentication at launch and adding a Passkey option in Q2 2023 with user messaging and tutorials enabling the Virgin users to understand and then enable the passwordless, biometric authentication option if they want to.
Do you have any advice or best practices you can give to public sector organisations that want to ditch the use of passwords?
Assess and research up front what the key usability necessities/prerequisites are and run a Discovery phase for the project to ensure that all user elements are addressed, and then how these deliver into the organisational requirements.
Deliver the new, seamless, authentication method as an optional alternative to password in the first instance, allowing user adoption to drive take-up.
Select subset(s) of users to test early versions (beta, POC) of the service prior to full roll-out. Let existing users refine the rough edges with you.
Be careful with user language at launch – seamless authentication can look ‘too easy’ to the user, who has been used to the complexity of passwords and OTPs and authenticator apps, and you may need to hold their hand to create confidence in a seamless solution that at first glance may look less secure.
Support the user in adoption of new technology with messaging and Q&A content to allow them to get used to and adopt the technology.
Anything else of interest?
Passkeys are today’s buzzword, and the industry has high-hopes for their evolution and adoption as a mass-use authenticator.
However, there are other options available, with vendors selling proprietary ‘passwordless’ auth solutions, often based on PIN+biometric and based on secure public-private key models. There are initiatives driven by the mobile operator ecosystem to enable seamless authentication factors through use of secure mobile header enrichment, and organisations offering significant investment funding for innovative solutions that can solve this issue using other technologies.
