Sitting in front of my computer, I recently picked up my smartphone and unlocked my banking app with my thumbprint to see if a check I had written had cleared my account. Before going any further, let me acknowledge that, yes, this payment professional still writes checks every now and again! I learned the check had cleared, logged off the app, and resumed my day in front of my computer. This got me thinking about a change in my behavior that has occurred over time. Even when I am right in front of my computer, I find myself using my smartphone apps almost exclusively instead of visiting the full-function websites from my laptop or desk computer. Why?
The answer is simple: ease of access. I can get to my information through apps on my smartphone using just my thumbprint but accessing that same information from my computer through a website requires me to remember and type in my username and password. In fact, every app on my smartphone that requires a log-in allows me to authenticate using my thumbprint. Truthfully, I’m not so good at remembering my passwords even using the methods I teach others to use: create difficult yet supposedly easy-to-remember passwords. Perhaps this is why password managers
remain so popular. I continue to hold out from using a password manager with hopes that biometric authentication will become more common on websites and remembering passwords will be a thing of the past (except when biometric authentication fails). If smartphone apps authenticate me with my fingerprint or face, then why don’t websites do that when my laptop has a fingerprint reader and camera just as smartphones do?
While the same biometric functionality is currently available on my computer, the main barrier is that websites struggle to support and accept biometric validation due to different implementations across various web browsers and operating systems. Several organizations and standards bodies are considering this issue. The FIDO (Fast Identity Online) Alliance was formed in 2013 to produce stronger authentication standards and reduce password reliance. The FIDO2 Project, a joint effort between FIDO and the World Wide Web Consortium (W3C), released specifications in 2019 for W3C’s Web Authentication (WebAuthn) product that allows a website to use the FIDO authentication through a standard API implemented in a browser using public key cryptography and biometric authentication. Unfortunately, its uptake has been slow primarily because of the inconsistent user experience from website to website.
I should note that biometric authentication for apps on phones has not necessarily eliminated passwords, though it certainly feels like it, at least until the biometric authentication fails. Rather, biometrics serve as an alternative method of accessing the app’s username and password combination. The fingerprint and facial recognition is a template algorithm stored in a highly secure location on our phones. When an app requests my thumbprint and the stored algorithm confirms a match, the equivalent of a password manager opens on my phone and I am authenticated.
Is the end drawing any closer for manually entering online passwords, and are you looking forward to that day? Taking it further, will the day ever come when passwords are eliminated? Personally, I hope so and am very much looking forward to that day. If it doesn’t happen, then, based on my own habits, the days of visiting my financial institution’s website and others’ sites might be altogether forgotten.
By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed