Despite what experts have been prediction for years, the password continues to soldier on. This happens much to the chagrin of many users who have been forced to remember dozens of different combinations of letters/numbers/characters for every web app they interact with on a daily basis. Despite warnings from security experts not to reuse passwords or even to physically contain them all in one place, consumer security hygiene is notoriously bad.
TeleSign has long believed that a phone number is one of the most important identifying features of a person. As the pioneers of phone-based verification, we have long believed in 2FA, but now the question presents itself, could the smart phone completely replace the password?
The phone number is a global trust anchor. TeleSign's digital identity solutions are primarily based on insights that can be gained by looking at a user's cell phone history. Similarly, the one thing most people have on them at all times is their smart phone. It contains our passwords, our credit card, our personal information; most of us have taken steps to make sure our phones are secure, even if we happen to misplace them. The smart phone is paramount to the 2FA process, to confirm a log-in, or even set a password reset sequence. Often a one-time passcode is sent to a user's device so they can confirm identity.
The password as a standalone identifier is dead. As protocols like PSD2 and more importantly Strong Customer Authentication mandate multi-factor authentication (2FA) by law, it's time to start viewing mobile identity differently. TeleSign uses the smart phone to bolster password security in two different ways, 2FA and risk-based digital identity.
Multi-factor authentication has been adopted now by nearly every major web property. It isn't always mandatory but users looking to keep themselves safe would be smart to turn it on. What TeleSign allows companies to do is send a one-time passcode via SMS after login to ensure the user is who they say they are. This process is also compliant with the European Union's Payment Services Directive (PSD2) more specifically the Strong Customer Authentication measure. SCA states that for every Card Not Present transaction that originates or terminates in Europe a consumer must prove identity in two of three ways; something they know, something they have, or something they are.
TeleSign uses OTPs for 2FA giving the user something they know (password) and something they have (smart phone or more specifically the OTP sent to a smart phone). Once again, the password itself is insufficient and any web property subject to the EU's guidelines relying purely on passwords would be in violation of an international mandate.
As mobile identity becomes more mainstream, it's not a stretch to say that it could be safer and more effective than a knowledge-based test such as a password. TeleSign uses digital identity as a risk-based predictive model to prove that users are who they say they are based on dozens of pieces of metadata.What that means now is that
TeleSign can make a prediction on if a user is who they say they are based on a phone number. With our products such as Score and PhoneID, we use our global consortium of telco data along with data science and machine learning to help companies gain insights on their users. In the previous example, I mentioned 2FA as compulsory for most CNP transactions in Europe starting later this year, however there is a way to sidestep that in some cases: mobile identity. Using mobile identity is a great way to prevent friction and churn (consumers abandoning a transaction midway through).
If platforms implement certain identity thresholds, a 2FA sequence could be bypassed because the European Union (and the platform) are satisfied the transaction is legitimate without a further test. There is still an extra layer of security, it just uses mobile identity instead of 2FA.
The password is going extinct (at least as a standalone precaution.) In almost all transactions moving forward, either 2FA or mobile identity will be needed to bolster it. It's not out of the realm of possibility that a combination of mobile identity and 2FA will replace passwords all together in the near future, but for now it's best that all platforms and consumers prepare for a post-password digital world.
TeleSign has been connecting and protecting online experiences for over 15 years. We support 21 of the 25 largest web properties in the world and we're prepared to help you. Contact TeleSign now and learn more about how to keep your platform safe.