Entering an age of password-less security
A shift towards password-less security
In today’s digital-first world, there is mounting pressure for enterprises and governments to combat the threat posed by cyber-criminals. The United States Agency for International Development reported that the global cost of cybercrime was estimated to top $8 trillion in 2023. This figure is larger than the national economies of all but two countries—the United States and the People’s Republic of China. They expect cybercrime to continue to grow unabated over the coming years, with projections as high as $23.84 trillion by 2027. ⁽¹⁾
The increasing use of passwords is continuing to leave people more vulnerable to cyber-attacks. According to Google Cloud’s 2023 Threat Horizons Report, it is found that 60% of breaches involve stolen or leaked credentials. ⁽²⁾ It is proving difficult for companies to manage the increasing security complexities around sign-ins and authentications while providing a seamless customer experience.
At present, IT security departments are moving towards password-less authentication using advanced technologies that don’t require passwords such as passkeys or Mobile Identity.
What is the issue with passwords?
Cyber criminals have profited from stealing people’s account by just guessing their passwords. Websites made password rules tougher to prevent users from picking weak ones, but it ended up pushing people to reuse those same stronger passwords on multiple sites. If they are stolen, they can be used to gain access to other websites and apps.
Businesses have yet to remove them fully from their authentication processes. They are instead adopting two-factor authentication (2FA) which requires the user to satisfy two out of the three following data points to be successfully verified:
Something they know, which currently remains a password or, more securely, a PIN. (Knowledge)
Something they have, such as a mobile device (Possession)
Something they are, which may be a biometric reading such as fingerprint scan (Inheritance)
This practice is evident at the regulatory level, with the Payment Services Directive (PSD2) introducing stricter requirements for customer authentication, known as Strong Customer Authentication (SCA). The PSD2 regulation mandates that Multi-Factor Authentication (MFA) be implemented for online transactions. Furthermore, according to recent speculations regarding PSD3, these requirements are expected to become even more stringent.
Understanding Password-less Authentication
Password-less authentication is a modern approach to secure user verification that eliminates the need for passwords. It’s a type of multifactor authentication (MFA), but instead of using a password — something the user knows — it employs more secure factors. These could include biometrics (like fingerprints or facial recognition), mobile phone verification, or a passkey.
Passkeys are a new type of login credential that is not widely adopted, as they require significant technical expertise during setup. Mobile Identity refers to technology that uses and analyses mobile network capabilities to enable end user identity verification. This identity verification facilitates the prevention of fraudulent activities and doesn’t require any user setup.
Switching from traditional passwords to more robust authentication methods allows enterprises to enhance the security of user access to their resources. By enabling MFA, IT teams can manage access at various levels — individual users, defined groups, or even specific job roles. This way, password-less authentication not only simplifies the user experience but also strengthens security measures.
Mobile Identify acting as a ‘never trust, always verify tool’
Mobile Identify utilises the possession element of 2FA. This allows companies to determine whether they are interacting with the owner of that mobile device or not. Currently, Phone-Centric Identity is one of the key drivers in the shift toward password-less authentication. As the new reality for any enterprise is that mobile device identities are the new security parameter.
Instead of relying on passwords to provide end-user authentication, the possession factor that is provided by Mobile Identify can allow a ‘never trust, always verify’ approach.
Mobile device in modern password-less authentication
The mobile device is increasingly becoming the core of our everyday transactions and interactions. We see this from the onboarding of banking customers and through various e-commerce activities. Authenticating the mobile phone subscriber is the modern way to validate identity. Customers want background verification and businesses want the verification experience to be seamless to minimize drop off rates.
Implementation is key in this instance, however, as MFA can easily lead to more complexity, especially to the user experience. The key issue when moving away from passwords and towards MFA such as the implementation of Mobile Identify is striking the balance between delivering a seamless user experience while balancing your enterprise’s security risk.
Mobile Identify by Bastion
Our patented Mobile Identify solution provides a PSD2 compliant API into the physical mobile network to help you monitor your customer’s mobile Identities in real time. It enables your business to authenticate millions of customers securely and seamlessly, protecting you and your customers against fraud online.
At Mobile Identify, we ensure your customer experience is not compromised but rather optimised as our solution provides a seamless customer journey to meet the possession factor in 2FA and fulfil the dynamic validation of SCA.