For all of the proclamations that passwords are dead, you wouldn’t know it.  Password management best practice continues to come up in conversations with clients, and broaching the idea of eliminating passwords is met with strong resistance from bank leadership.  For all of their faults, the industry is finding it hard to let go of the relationship with passwords.  That is not to say that there aren’t valid arguments for keeping them around, but the counterpoints to these arguments illustrate that passwords have become more harmful than helpful.  

So just how much is there to the arguments in support of retaining passwords?  Let’s make a list of what proponents are saying and the corresponding liabilities to see how they stack up.

Common reasons to keep “good old passwords” around:

  • Customers are used to them
  • They are tangible sign of security
  • They are low cost and easy to manage
  • They are the backstop for other authenticators
  • They can be used across channels
  • There are privacy and technology-related issues affecting alternatives

Now let’s look at the reasons to let go:

  • Customers hate juggling passwords, exercise poor password hygiene, and are getting increasingly accustomed to stronger forms of authentication
  • They are associated with massive breaches and customers are getting more savvy/concerned about security (i.e., passwords don’t convey the image of security)
  • Automated testing of compromised password lists that overwhelm your network and creates noise in your fraud monitoring  (increasing your operating costs and fraud losses) – not to mention the similar dynamic caused by external aggregators 
  • As a backstop, they are incredibly weak if not detrimental to security (it is akin to giving passengers on a cruise ship life jackets full of lead)
  • There are a wide range of solutions that go beyond knowledge factor authentication, yet can be leveraged in both physical and digital channels
  • Education and approaches that respect customer’s data (including PII and biometric profiles) can assuage privacy concerns, while mobile device penetration (the Swiss army knife of authentication delivery mechanisms) is now nearly ubiquitous – even backend integration is becoming easier/cheaper

I’m certain that there are other voices out there with additional points to be made on both sides of the argument, but it is hard to dispute that the combination of strong digital banking adoption and weak authentication have contributed to the growth of fraud.  Looking beyond the fraud implications, it is also hard to dispute that passwords aren’t exactly the most customer experience-friendly form of authentication out there.

The long and short of it is that passwords are still here and they are the kind of friends your parents warned you about.  No, passwords aren’t dead.  That doesn’t mean we all need to be lifelong friends.

Author

About Al Pascual

An accomplished industry analyst, market researcher, and financial industry practitioner, Al Pascual is Javelin’s Research Director and Head of Fraud & Security. As Research Director, Al leads Javelin’s Advisory Services and Custom Research businesses. He oversees growth of these businesses while ensuring that Javelin’s research content meets quality standards and provides the innovative perspectives that clients expect from the firm.

As Head of Fraud & Security, Al provides clients actionable insights on a variety of fraud and security issues, acts as a partner in developing strategies for managing risk, and identifies and raises awareness of future threats and solutions. Al researches a range of topics, including the applicability of biometrics in banking and payments, the effect of data breaches on the integrity of consumer identities, the relationship between identity fraud and loyalty, and the best methods for securing payment data and transactions.

Al has presented findings from Javelin’s rigorous, industry-leading research at conferences around the world, including BAI, CARTES, Money20/20, NACHA, and RSA. Al has provided commentary on fraud and security issues to American Banker, Bloomberg, CNNMoney, Fox Business, Reuters, The New York Times, The Wall Street Journal, The Washington Post, and Wired.

Previously Al held risk management roles at HSBC, Goldman Sachs, and FIS. He is a member of the Association of Certified Fraud Examiners, the International Association of Financial Crimes Investigators, and the Federal Reserve Secure Payments Task Force. Al also serves on the board of advisers to the Information Security Media Group. He earned a Bachelor of Arts degree in History from the University of South Florida.

Stay in Touch!