The platform economy is changing how companies interact with customers. Enterprises need to connect with their customers efficiently to successfully and rapidly match the latter’s wants and needs with services and products. Being able to authenticate users to enable efficient and effective interaction with organizations is vital to business strategies of the future.
Password-based consumer authentication was initially designed for employees, not customers or clients. User experience was not a concern. Today, in the age of fingerprint readers and facial recognition, people expect a seamless customer experience, and passwords are becoming a key factor in poor customer retention rates. Furthermore, from setup to reset and decommission, password management is costing companies millions of dollars per year.
In terms of cybersecurity, weak password management is central to the entire criminal ecosystem. Passwords are difficult to secure and most cyber breaches stem from weak or stolen passwords. A breach of a single platform can impact millions of individuals and interconnected enterprises. Credential stuffing attacks, where criminals use stolen credentials leaked and shared online, represent nine in 10 login attempts on major retail sites.
Digital trust is a precondition for unlocking the promise of the platform economy. The World Economic Forum Centre for Cybersecurity is actively working to improve authentication, a pillar of cybersecurity, to ensure a secure digital future for everyone. In collaboration with the FIDO Alliance, the World Economic Forum has launched a white paper on Passwordless Authentication: The next breakthrough in secure digital transformation, which proposes six core principles for transition to a password-free future. Here’s why:
Better user experience
Authentication is the entry point to an online service. Passwordless authentication replicates how people in the real world recognize one another by using techniques such as biometrics, based on inherent physical attributes or who we are. It is customer-centric and eliminates issues such as the common struggle of typing complex passwords on a foreign keyboard. In the near future, users will be able to authenticate onto any platform via the devices they carry with them everywhere. Ultimately, an enhanced user-centric experience also results in stronger security, as users are much less likely to try circumventing cumbersome processes.
Login credentials to bank or social media accounts are on sale on the dark web for as little as $7. This is not just an issue for the individual user whose identity has been compromised – the unchecked rise of digital criminal activity is driving global cybercrime to unprecedented levels, and is undermining trust in government institutions. The digital economy is also enabling new waves of serious organized crime.
Passwordless authentication eliminates a long list of attack vectors, from credential stuffing to phishing attacks. When companies transition to new authentication solutions, they reduce their exposure to data breaches. Passwordless solutions require no personal information to be stored or transmitted over the internet; the risk of online fraud and identity theft is therefore greatly reduced. Furthermore, most passwordless authentication leverages two distinct authentication factors, providing more robust secure guarantees than a single password.
The interoperability of authentication solutions unlocks value. Interoperability allows new users to access certain services, existing users to transact more broadly and digital services to offer their users new ways to transact. Applying a standards-based approach means that the implementation work is largely completed, and service providers can get started faster on their path to passwordless authentication. It greatly reduces development time and unlocks access to new markets that are adopting certified solutions. It allows for international compatibility and expansion.
Regulations such as GDPR impact businesses serving European users, regardless of where the business is registered. Passwordless authentication facilitates compliance with such international regulations, which is key to expanding digital businesses across geographies.
Enterprises often struggle to balance security with business realities. Not only does passwordless authentication improve security, the user experience and interoperability, it reduces business costs and improves revenues by boosting productivity and brand perception.
According to a recent survey, employees spend more than 10 hours each year managing their passwords. This represents over $5 million a year for a company of 15,000 employees. With standards such as those developed by the FIDO Alliance, password administration is significantly simplified – and, most notably, cuts costs associated with call centres. Two and a half months is the average time that company IT staff spend resetting internal passwords, at an estimated cost of up to $70 per password reset. One study found out that businesses spend $1 million annually in helpdesk costs alone to deal with password resets.
Looking at global cyber-risks, 4 in 5 breaches involve weak or stolen passwords, and the average cost of every breach is $3.92 million (see figure below). When there are no passwords for criminals to steal, the possibility of illegitimate access to a company’s networks is significantly reduced, which translates into lower insurance premiums.
The World Economic Forum Platform for Cybersecurity and Digital Trust actively supports the transition to a world without passwords with a call for organizations to pledge their support. Organizations from the public and private sectors along with civil society are invited to join this dynamic community of purpose; please visit our site to engage or for further details.
The parameters of authentication are much broader than passwords alone. Accurate and reliable authentication is the essential foundation of digital trust. It is an enabler of cybersecurity in the digital economy and of the Fourth Industrial Revolution. In other words, passwordless authentication is an enabler of the future.
Alois Zwinggi, Managing Director and Head, Centre for Cybersecurity, World Economic Forum. Adrien Ogée, Project Lead, Cyber Resilience, World Economic Forum. This article was first published as part of Davos 2020.