For all of the proclamations that passwords are dead, you wouldn’t know it. Password management best practice continues to come up in conversations with clients, and broaching the idea of eliminating passwords is met with strong resistance from bank leadership. For all of their faults, the industry is finding it hard to let go of the relationship with passwords. That is not to say that there aren’t valid arguments for keeping them around, but the counterpoints to these arguments illustrate that passwords have become more harmful than helpful.
So just how much is there to the arguments in support of retaining passwords? Let’s make a list of what proponents are saying and the corresponding liabilities to see how they stack up.
Common reasons to keep “good old passwords” around:
- Customers are used to them
- They are tangible sign of security
- They are low cost and easy to manage
- They are the backstop for other authenticators
- They can be used across channels
- There are privacy and technology-related issues affecting alternatives
Now let’s look at the reasons to let go:
- Customers hate juggling passwords, exercise poor password hygiene, and are getting increasingly accustomed to stronger forms of authentication
- They are associated with massive breaches and customers are getting more savvy/concerned about security (i.e., passwords don’t convey the image of security)
- Automated testing of compromised password lists that overwhelm your network and creates noise in your fraud monitoring (increasing your operating costs and fraud losses) – not to mention the similar dynamic caused by external aggregators
- As a backstop, they are incredibly weak if not detrimental to security (it is akin to giving passengers on a cruise ship life jackets full of lead)
- There are a wide range of solutions that go beyond knowledge factor authentication, yet can be leveraged in both physical and digital channels
- Education and approaches that respect customer’s data (including PII and biometric profiles) can assuage privacy concerns, while mobile device penetration (the Swiss army knife of authentication delivery mechanisms) is now nearly ubiquitous – even backend integration is becoming easier/cheaper
I’m certain that there are other voices out there with additional points to be made on both sides of the argument, but it is hard to dispute that the combination of strong digital banking adoption and weak authentication have contributed to the growth of fraud. Looking beyond the fraud implications, it is also hard to dispute that passwords aren’t exactly the most customer experience-friendly form of authentication out there.
The long and short of it is that passwords are still here and they are the kind of friends your parents warned you about. No, passwords aren’t dead. That doesn’t mean we all need to be lifelong friends.