Big tech is building a passwordless future. Banks want to join in.

Bad password management is only one problem plaguing credentials. Banks also believe passwords are not user friendly. Developments toward a post-password future could change that.

Bank IT leaders believe almost unanimously that the time has come to move beyond passwords to a more secure form of authentication, known to many as passwordless.

As the name suggests, passwordless authentication involves logging a user into a system without using a password. That can involve numerous alternative methods, from using biometrics to a USB key or an app on a trusted device.

Just how widespread is the belief that passwords need to go? According to a recent survey, 89% of IT security leaders at financial services firms believe passwordless authentication ensures the highest level of authentication security — better than passwords and multi-factor authentication.

The problems with passwords go beyond security. Of the 500 participants in the survey, 89% also said passwordless authentication would be the way to ensure user satisfaction.

Hypr, a passwordless authentication vendor that works primarily in financial services, retained Vanson Bourne, a market research company, to conduct the survey. Respondents were based in the U.S. (200), U.K. (100), France (100) and Germany (100).

Banks are in good company in their desire to move past passwords. This summer, Apple unveiled plans to replace passwords with Passkeys — a public key technology that will allow consumers to authenticate with various platforms and services using either Face ID or Touch ID, the company's facial and fingerprint biometrics systems.

Passkeys are considered a dynamic method of authentication as opposed to a static method such as password authentication. With password authentication, a bank asks a user for a secret value, and the bank knows in advance what the correct answer will be.

With public key authentication, a more complex dance takes place that requires the user's device to make cryptographic calculations that can only be made on a device that they control. A similar, widespread scheme uses digital certificates to prove the authenticity of web pages.

Prior to the Passkeys announcement, Google and Microsoft announced they too would join in the fight to rid the world of passwords.​​ The two alongside Apple participate in the FIDO Alliance, the mission of which is to "solve the world's password problem" by replacing passwords with security keys, facial recognition, fingerprint scanning or other methods that typically require a device to execute.

Banks have good reason to mistrust passwords. According to Verizon's 2022 Data Breach Investigations Report, nearly 50% of data breaches involve the use of stolen credentials — more than phishing, exploitation of software vulnerabilities, and botnets combined.

Threat actors have multiple options for accessing systems using stolen credentials. With systems that have no multifactor authentication, they can use credential stuffing, which involves trying username-password combinations on one system that have worked on other systems. These attacks work because of password reuse — when a person uses the same password on multiple systems.

For systems that are protected by multifactor authentication, threat actors have a harder but still feasible job. By targeting users with spear phishing attacks, the criminals can manipulate the user into providing the password and second factor — often a code sent to the user via text message or a multifactor authentication app — to access the target system.

By contrast, many passwordless authentication solutions promise to be phishing-proof, which Andrew Shikiar, executive director and chief marketing officer of the FIDO Alliance, reiterated in the announcement that Google, Microsoft and Apple would be accelerating their passwordless efforts.

"This new capability stands to usher in a new wave of low-friction FIDO implementations alongside the ongoing and growing utilization of security keys — giving service providers a full range of options for deploying modern, phishing-resistant authentication," Shikiar said.

Although banks largely buy into this passwordless effort, according to Hypr's research, they also face numerous challenges implementing them — primarily related to managing the new kind of system and the friction that both employees and customers will face adopting them.

According to Hypr, 75% of financial institutions in the survey reported facing IT-related obstacles, primarily the complexity of managing a passwordless authentication infrastructure (33%). Additionally, 62% of respondents said the new authentication methods would cause difficulties for their users.

For Hypr CEO and co-founder Bojan Simic, the barriers to a passwordless future are real but overstated, and the bigger question is how banks will move to eliminate passwords.

"This is the path forward," Simic said. "All the major companies in the world — all the major financial services companies in the world — have aligned on this. It's just a matter of when and exactly how that's the question."

Also endorsing an end to passwords is Bill Gates, who said they "just don't meet the challenge for anything you really want to secure." But banks and tech vendors might not want to hold their breath for a passwordless future. Gates and others have been saying passwords need to go away since 2004.

For reprint and licensing requests for this article, click here.
Cyber security Identity verification Technology
MORE FROM AMERICAN BANKER