Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Comments are moderated and will not appear until the moderator has approved them.
Please submit appropriate comments. Inappropriate comments include content that is abusive, harassing, or threatening; obscene, vulgar, or profane; an attack of a personal nature; or overtly political.
In addition, no off-topic remarks or spam is permitted.
Thumbs Up: Smartphone Apps versus Websites
Sitting in front of my computer, I recently picked up my smartphone and unlocked my banking app with my thumbprint to see if a check I had written had cleared my account. Before going any further, let me acknowledge that, yes, this payment professional still writes checks every now and again! I learned the check had cleared, logged off the app, and resumed my day in front of my computer. This got me thinking about a change in my behavior that has occurred over time. Even when I am right in front of my computer, I find myself using my smartphone apps almost exclusively instead of visiting the full-function websites from my laptop or desk computer. Why?
The answer is simple: ease of access. I can get to my information through apps on my smartphone using just my thumbprint but accessing that same information from my computer through a website requires me to remember and type in my username and password. In fact, every app on my smartphone that requires a log-in allows me to authenticate using my thumbprint. Truthfully, I’m not so good at remembering my passwords even using the methods I teach others to use: create difficult yet supposedly easy-to-remember passwords. Perhaps this is why password managers remain so popular. I continue to hold out from using a password manager with hopes that biometric authentication will become more common on websites and remembering passwords will be a thing of the past (except when biometric authentication fails). If smartphone apps authenticate me with my fingerprint or face, then why don’t websites do that when my laptop has a fingerprint reader and camera just as smartphones do?
While the same biometric functionality is currently available on my computer, the main barrier is that websites struggle to support and accept biometric validation due to different implementations across various web browsers and operating systems. Several organizations and standards bodies are considering this issue. The FIDO (Fast Identity Online) Alliance was formed in 2013 to produce stronger authentication standards and reduce password reliance. The FIDO2 Project, a joint effort between FIDO and the World Wide Web Consortium (W3C), released specifications in 2019 for W3C’s Web Authentication (WebAuthn) product that allows a website to use the FIDO authentication through a standard API implemented in a browser using public key cryptography and biometric authentication. Unfortunately, its uptake has been slow primarily because of the inconsistent user experience from website to website.
I should note that biometric authentication for apps on phones has not necessarily eliminated passwords, though it certainly feels like it, at least until the biometric authentication fails. Rather, biometrics serve as an alternative method of accessing the app’s username and password combination. The fingerprint and facial recognition is a template algorithm stored in a highly secure location on our phones. When an app requests my thumbprint and the stored algorithm confirms a match, the equivalent of a password manager opens on my phone and I am authenticated.
Is the end drawing any closer for manually entering online passwords, and are you looking forward to that day? Taking it further, will the day ever come when passwords are eliminated? Personally, I hope so and am very much looking forward to that day. If it doesn’t happen, then, based on my own habits, the days of visiting my financial institution’s website and others’ sites might be altogether forgotten.