The Petition Against Passwords is a public advocacy campaign that supports alternatives to usernames and passwords, which the group says are not secure, no longer sufficient for many applications and in many ways enable fraud. As the group seeks 100,000 signatures their efforts should remind organizations in the CNP channel that additional authentication is needed for both logging into user accounts as well as with authenticating data related to transactions.
The Petition Against Passwords initiative promotes forms of identity protection that are more convenient and secure for customers than traditional single-factor security passwords. The group has issued an open challenge for a major consumer website to offer a passwordless alternative login procedure once their petition has reached 100,000 signatures. While few would argue against passwords being insecure and vulnerable to fraud, many would rebuttal that there aren’t any practical alternatives to passwords that they could implement today which consumers could use easily or aren’t expensive to implement.
The Fast Identity Online (FIDO) Alliance has been working on a standards-based technology to hopefully one day replace passwords, and Google is a member with tremendous internet presence and clout. The FIDO system enables websites to authenticate users through their device and they expect to have the specifications for building this technology into web servers and devices ready by 2014. But in the meantime organizations will need to continue to perform additional authentication around a password-based login system.
This includes not only additional checks at the point of login, but performing authentication on the consumer data when they are transacting online. At the point of login this can include IP geolocation, device identification, behavioral monitoring analysis and various forms of step-up authentication, such as knowledge based assessments (KBAs). As long as consumers are entering a site with passwords, there should be additional checks performed at the point of login. But even when a consumer has already logged in, or if they are transacting as a guest or without the need to login, additional authentication should be performed on the data points provided to ensure the consumer is providing real data that goes together and is associated with their e-identity. This can include reverse lookups on a name, phone number and/or address, 3-D Secure card association consumer authentication programs, and other checks.
There are multiple stages in the consumer interaction and transaction life cycle where various forms of authentication should be implemented. It is important to authenticate a consumer is who they claim to be not only when logging in or accessing a website, but also when transacting to be sure they are the person who’s payment information they are providing.
For More Information: