For 60 years, passwords have served as our first line of defense against hackers. We know by now all the rules of making an effective password that’s hard to hack: Combine numbers with letters and symbols. Easy, right? Perhaps not when you’re juggling dozens of these obscure passwords, more than half of which you definitely don’t remember.

Passwords are also a major headache for businesses, where password-related support tickets account for 40 percent of all tickets. Furthermore, 92 percent of users prefer to leave a website than recover or reset a password, and losses from account takeovers cost businesses an average of $12,000.

Today’s tech-savvy millennials and Gen-Zers have little patience for this password game and the multiple-step authentications needed to login to most apps and websites. Fortunately for them, their growing purchasing power will push authentication technology into our lives.

Biometric authentication: from login to unlock

In recent years, biometric authentication, as in facial recognition and fingerprint scanning, has been used increasingly for laptop and mobile devices. This has resulted in a much better user experience, making unlocking devices simpler and more secure.

The technologies behind facial recognition and fingerprint scanning make them the most accurate and secure authentication tech available today. Device biometrics store a mathematical representation of the user’s face or finger on the device itself. This information never leaves the user’s device and is never shared with the application or any other devices, providing the highest level of privacy. Both have extremely low false acceptance rates (FAR) and false rejection rates (FRR), which is critical for both the customer experience and security.

By effectively rejecting unauthorized users and painlessly authorizing legitimate users, this balance positions device biometrics as the go-to solution to replace the headaches caused from trying to remember too many passwords. A web authentication API, known as webAuthN, allows servers to register and authenticate users using public key cryptography instead of a password.

The webAuthN API is very simple for any end-user. When registering for an online service, subscription, or app, the user’s device generates a key pair made up of a public and private key. The private key remains a secret to the user and the device, safely secured in a trusted environment within the device. The public key, however, is sent to the app’s server to be kept there, replacing a user name or digital ID.

During the authentication process, the app’s server creates a challenge to serve as a cryptographic buffer. The challenge is then passed to the device’s trusted environment, where the private key is kept, triggering the biometric authentication process where the user would scan their face or fingerprint. Assuming a match is found, the private key is released and the trusted environment uses it to cryptographically sign the challenge, which is passed on to the application server to retrieve the public key and check for a match. If the challenge was signed with the private key that matches the public key then access is granted.

This pain-free process will radically improve the user experience, making our increasingly digital lives more secure and convenient.

Practical uses

Replacing passwords with biometric authentication doesn’t just boost the user experience—it also has plenty of tangible financial benefits for B2C businesses. The retail industry, for example, stands to gain a lot from the integration of biometric authentication into ecommerce platforms. By replacing passwords, biometric authentication can greatly reduce cart abandonment by simplifying the verification mechanisms aimed at reducing fraud activity. Additionally, by ditching passwords, ecommerce sites will save a lot of cash that would have gone towards fraud cases. Not only does it eliminate the risk of identity theft, it also makes the bankend costs to maintain credential databases a thing of the past.

Other B2C industries that would benefit from a transition away from passwords are the airline industry, entertainment and streaming platforms (OTT) and other subscription services, insurance, and banking, as seen in the BRED case study.

In this case study, Transmit Security’s solution, which uses the FIDO2 webAuthN protocol to provide advanced passwordless authentication, empowered European bank BRED to assist disabled adults with their digital banking services. BRED’s online portal for their payment keyring was initially too hard to access due to an unfriendly user login. Many disabled users struggled to navigate the portal or forgot their passwords, causing them to get locked out of their accounts, having to wait on hold for hours with the bank’s call center.

BRED tapped FIDO2 webAuthN to enhance and simplify the customer-authentication process based on their knowledge that their customers enjoyed the simplicity of smartphone biometrics. By adding a “login with mobile” button on BRED’s website, their customers simply tapped that button, which calls BindID using OpenID Connect, an identity layer built on top of the OAuth 2.0 protocol. This prompts a QR code which the customer scans using their smartphone to open a browser invoking the device’s preconfigured biometrics. Within a week, BRED was providing convenient, password-free banking to its disabled customers, which led to a reduction in operating costs, support call frequency, and fraud risk.

The example of the BRED-BindID only illustrates the benefits of biometrics over passwords to one sector of the population. The growing spending power of the Millennials and Gen Zers will be a driving force around the inevitable transition from passwords to biometric authentication. These demographic cohorts, who drive global tech-trend adoption, are simply running out of patience with the current password status quo.

Both businesses and individuals already feel passwords are a UX nightmare, and are starting to recognize the convenience, security and economic benefits that biometric authentication offers. As this technology expands and increases its market penetration, even biometric skeptics will quickly start singing its praises.

Miguel Fersen, Senior Cloud Consultant at GlobalDots, co-founded two startups by the age of 20 and served as an advisory board member on several other startups. Having worked for Limelight & Edgecast networks for 9 years, he is a core member of the CDN alliance, a nonprofit organization aiming to unify the CDN industry and create sustainable standards for all. In his roles with GlobalDots Miguel has played a key role in building and growing partnerships with some of the most innovative vendors. Miguel also leads the South American and Iberian markets in the fields of Web Application Delivery, Cloud Management, and Cybersecurity.

