Procurement 7 August 2018

Are passwords set to become extinct? 3 reality checks for online retailers

passwords extinct
Providers such as Google or Facebook no longer enjoy the unconditional trust of users
Although passwords remain a central part of online shopping, technology is enabling new ways for users to access personal accounts. Urs Gubser, head ecommerce strategy at?SIX Payment Services, provides a reality check for ecommerce retailers.

Those who are said to be dead live longer and interestingly, this also applies to passwords. This established form of authentication has long been considered an anachronism to the constant evolution and modernisation of the Internet.

However, passwords still play a very large part in our online world and are the gateway to a whole host of activities including emails, social networks and last but not least, online shopping. Even those who only use the internet occasionally for online shopping quickly accumulate a wealth of online accounts.

Although there are ways of logging in via third-party providers such as Google or Facebook, they no longer enjoy the unconditional trust of users following a number of highly publicised data scandals.

With the new FIDO2 open authentication standard, it is now possible, in principle, to use hardware tokens or biometric features for authentication directly via a browser. But what is behind the process and what potential does the technology have?

Check 1: What exactly is FIDO2 and what concrete possibilities does it present?

The abbreviation actually hides two standards. One, WebAuthn, was developed by the FIDO Alliance (Fast Identity Online) in collaboration with the W3C (World Wide Web Consortium) organisation. It enables the integration of FIDO-based authentication methods directly into different browsers using a standardized API.

Mozilla’s Firefox already supports WebAuthn from version 60 and Microsoft and Google plan to follow suit. The other part of FIDO2 is the Client to Authenticator Protocol (CTAP). This allows various external devices to transmit credentials to computers via Bluetooth, NFC or USB.

The new standard offers several ways to replace passwords. A USB stick as a hardware token is a form of digital key. When a user inserts the stick into their PC, they automatically authenticate, just as easy as unlocking a door. In addition, the technical capacities of smartphones can also be exploited as many of today’s devices already have fingerprint recognition capability which could also use this unique feature for authentication.

Check 2: What about safety?

You do not have to be an accomplished computer hacker to crack a password; many people still use very easy-to-guess character combinations like names and birthdays. In addition, criminals have access to a variety of software tools to help them find out passwords. These risks and potential breaches in security simply do not exist with a hardware token however, it can be lost or stolen, just like a physical key.

Is the fingerprint the ID of choice? After all, it is unique with just one per person. That is of course unless someone makes a copy and manages to fool the sensor – which is exactly what the Chaos Computer Club did back in 2013.

Since then, detection technology has evolved but so have the methods to outsmart it. With the help of machine learning and artificial intelligence, American security experts last year managed to create a form of the master imprint that unlocked almost two out of three of the smartphones that were tested.



Predictable password still world’s most common

New research has done little to suggest people around the world are becoming more cyber aware, with predictable password 123456 still the most common.


A potential attacker using this approach does not even need the original print of the owner. Therefore, in the case of biometric authentication, the question that always comes up is whether it is possible for criminals to obtain copies of the features. Of course, unlike a password, you cannot easily reset your fingerprint.


Tax & admin