Despite widespread usage of passwords lingering on, consumers want to use stronger, more user-friendly alternatives. The third annual Online Authentication Barometer published by the FIDO Alliance, reports that entering a password manually without any form of additional authentication was the most commonly used authentication method across the use cases tracked. This includes accessing work computers and accounts (37%), streaming services (25%), social media (26%), and smart home devices (17%). Consumers enter a password manually nearly four times a day on average, or around 1,280 times a year.
Financial services: biometrics beat passwords as most used sign-in method
The only exceptional scenario to this trend was financial services. Biometrics (33%) narrowly beat passwords (31%) as the most used sign-in method.
The FIDO alliance concludes that this is especially interesting considering biometrics’ rising popularity as an authentication method. When asked what authentication method people consider most secure and the method they most prefer using, biometrics ranked as favourite in both categories, rising around 5% in popularity since last year. This suggests that consumers want to use biometrics more but don’t currently have the opportunity.
“This year’s Barometer data showed promising signs of shifting consumer attitudes. There is a desire to use stronger authentication methods, with biometrics especially proving popular. That said, high password usage without 2FA worryingly reflects how little consumers are still being offered alternatives like biometrics, resulting in lingering usage,” commented Andrew Shikiar, Executive Director and CMO of the FIDO Alliance.
Scams are getting more frequent and more sophisticated – likely fuelled by AI
This year’s Barometer also unearthed consumer perception of threats and scams online. 54% of people have noticed an increase in suspicious messages and scams online, while 52% believe these have become more sophisticated.
Threats are seen to be active across several channels, but primarily email, SMS messages, social media, and fake phone or voicemails. The increased accessibility of generative AI tools is a likely driver of this rise in scams and phishing threats. Tools like FraudGPT and WormGPT, which have been created and shared on the dark web explicitly for use in cybercrime, have made crafting compelling social engineering attacks far simpler, more sophisticated, and easier to do at scale. Deepfake voice and video are also being used to bolster social engineering attacks, tricking people into thinking they are talking to a known trusted person.
How well do you really know your competitors?
Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.
Thank you!
Your download email will arrive shortly
Not ready to buy yet? Download a free sample
We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below form
By GlobalDataShikiar added: “Phishing is still by far the most used and effective cyberattack technique, which means passwords are vulnerable regardless of their complexity. With highly accessible generative AI tools now offering bad actors the means to make more convincing and scalable attacks, it’s imperative consumers and service providers listen to consumers and start to look at non-phishable and frictionless solutions like passkeys and on-device biometrics more readily available, rather than iterating on ultimately flawed legacy authentication like passwords and OTPs.”
Passkeys provide secure and convenient passwordless sign-ins to online services. They have grown in consumer awareness despite still being live just over a year, rising from 39% in 2022 to 52% awareness today. The non-phishable authentication method has been publicly backed by many big players in the industry. Google recently announced that passkeys are now available for all its users to move away from passwords and two-step verification. Apple, as with other brands like PayPal is also making these available to consumers in the last twelve months.
The impact of legacy sign-ins worsens for businesses and consumers
The negative impact caused by legacy user authentication was also revealed to be getting worse. 59% of people have given up accessing an online service. 43% have abandoned a purchase in the last 60 days, with the frequency of these instances rising year on year to nearly four times per month, per person, up by around 15% on last year. Poor online experiences are ultimately hitting businesses’ bottom lines and causing frustration among consumers.
70% of people have had to reset and recover passwords in the last two months because they’d forgotten them, further highlighting how inconvenient passwords are and their role as a primary barrier to a seamless online user experience.
Businesses are ready to ditch passwords: FIDO Alliance and LastPass
In a separate report, The FIDO Alliance and LastPass assess IT decision makers’ attitudes and plans for removing passwords in favour of easier and more secure passwordless authentication. The 2023 Workforce Authentication Report finds that 89% of surveyed IT leaders expect passwords to represent less than a quarter of their organisation’s logins within five years or less.
It reveals that businesses are ready to embrace a passwordless future. 92% have a plan to move to passwordless technology and 95% currently use a passwordless experience at their organisation.
Businesses believe passkeys will help make them more secure. 92% believe passkeys will benefit their overall security posture. 93% agree that passkeys will eventually help reduce the volume of unofficial (i.e., “Shadow IT”) applications. However, many recognise that work still needs to be done. A majority of businesses surveyed are still using phishable authentication methods. Examples include passwords (76%) and multi-factor authentication (MFA) (43%) when it comes to authenticating users within their organisation.
Transition away from passwords will take time and education
The majority recognise that this transition will take time and education. Some 55% of IT leaders surveyed feel they need more education on how passwordless technology works and/or how to deploy it. 28% cited concerns that users may be resistant to change or using a new technology.
When making this transition, businesses made it clear they want to choose where they store passkeys. 69% of IT leaders anticipate storing them in a third-party password manager.
“The move towards passwordless authentication has gained steam over the past few years. An increasing number of organisations have moved to eliminate the risk and liability of passwords as they are the source of the vast majority of data breaches,” said Shikiar.
“Today’s report backs up this trend by illustrating that global IT leaders are rapidly aiming to reduce their reliance on legacy forms of authentication in favour of passkeys for user-friendly, phishing-resistant sign-ins.”