In this video, Brandon Krieger of Daily Cyber and CEO of LoginID, Simon Law, discuss how passwordless authentication works with older software and devices that are not biometrically enabled. They also discuss how passwordless authentication can benefit businesses as well as consumers (full transcript below).
LoginID is a FIDO/FIDO2 certified strong customer authentication platform that offers an open SaaS free to use product that can be integrated into a website or app with just a few lines of code. LoginID offers a suite of strong customer authentication solutions that can help protect any website or app with real time fraud prevention.
In addition to passwordless authentication, LoginID also offers a Transaction Confirmation with Digital Signature service where a customer can cryptographically sign an online transaction with their biometric (or PIN). The biometric action of the digital signature creates a digital receipt and payment authentication ensuring that the purchaser is who they say they are. This tool is perfect for ecommerce fraud prevention and the elimination of fraud related chargebacks.
Brandon Krieger: How can users of older software still utilize passwordless authentication?
Simon Law: That’s a good question. What they do, in those types of situations, is they have an IDP, or identity platform, where you authenticate and then you come up with an identity token, like an 0Auth 2.0 protocol, and then you send that token over and then the legacy platform needs to somehow ingest that. It says, ok, I recognize that this is already authenticated by a third party that you already trust.
For example, with LoginID, we would be the trusted partner with an existing website or system. We would do the authentication and then we would pass along a token and then the legacy system would somehow need to ingest that token.
It offloads all the complexity of the latest specifications of authentication for FIDO2 and WebAuthn to us. Then all they have to do is support, on their end, on the front side, LoginID’s service as a trusted service.
BK: So one question that’s coming to me, and I'm thinking on the business side, what is driving businesses towards the world on strong passwordless authentication? I know you’ve talked about the honey pot and security, but is there any other reason why companies are moving that way?
SL: I think it all comes down to if it drives business, right. So, conversion, conversion, conversion. So if you look at the statistics, Google and Yahoo have already done some studies. They have enabled this on some of their websites. For example, Yahoo, they enable it in Japan and they saw a 24% increase in conversion.
Similarly with Google, they saw similar numbers. So it's a mind boggling increase in conversion. I think the stats were 89% conversion vs about 60% with password. The idea is that you’ll be able to convert people much quicker.
Also not only is the failure rate much lower, it’s also the speed as well. Tapping your fingerprint vs typing a password, the fingerprint is much faster. The stats say three to four times faster when using a biometric. Conversion is a reason why businesses want to go with passwordless authentication.
Another reason is, obviously, security and then finally compliance. With security, a lot of companies don’t want to store passwords and PII data. What businesses want to do is use a protocol similar to FIDO2 where it's PKI (Public Key Infrastructure) where they’re storing the public key and they’re not in possession of a valuable password on their system. So security is another aspect.
Then finally, compliance. For example, in Europe, you need to be GDPR compliant which means a lot of PII data needs to be secured and passwords are, obviously, PII data. FIDO2 is GDPR compliant, inherently, because it’s pseudo anonymous. The digital signature that comes from your phone can’t really identify who you are.
So that’s why conversion, which is really the business case, you see higher conversion rates, faster conversion rates. Then security, compliance, and together those are big reasons why you want to move away from passwords.