The most taxing step on the average eCommerce consumer is trying to remember yet another password at checkout. A Bayamard study found that over 1 in 5 returning users abandon the checkout process if they couldn’t remember a password.
The scenario is all too familiar: You’re shopping online, something catches your attention, you decide to checkout. You know (or think) you have a profile with this brand, so you set out to login. Then, the fated password error messaging: “Password Incorrect. Password must include 8 special characters 4 capital letters & 2 numbers”. Okay, I'm facetious, but you know the deal. A Rolodex of recycled passwords plays in your head, you try once more, maybe twice - get frustrated, think “I'll deal with this later” never to return to purchase the red cowboy boots that once consumed your every waking moment.
Enter: the passwordless profile.
The growing market of passwordless profiles is no surprise to Google, Apple and Microsoft users, with the tech industry pushing to minimise data breaches for some time, thanks to that ever-present threat. A Verizon’s 2019 investigation report revealed that more than 80% of data breaches were related to stolen or weak passwords. We’ve also seen tech giants moving towards open standards, such as FIDO (Fast Identity Online) that allow security & development teams to deploy passwordless authentication. For Australian retailers, the new consequences for 'reportable data breaches' are dangerous.
What is Passwordless authentication?
Passwordless authentication presents users with one or more methods of signing into a profile, application or device without the need to enter a password that the customers are responsible for generating and remembering. We're not talking about Guest Checkouts either - that's a whole different story for another time (spoiler: we've got some strong opinions).
Common types of passwordless authentication include:
Includes verifying a user with a single session link (also known as a 'magic link' due to how magically it allows you to log in) or one-time code. With a single session link, the user first enters their email, and a unique time-limited token is created for the user and sent to them securely to a previously confirmed in email address. When the user clicks the link, the Omneo service identifies the token and exchanges it for a live token which logs the user in. With a one time code, the user receives a short unique code which is then entered into the login interface, verifying and logging in the user.
SMS authentication begins with the customer entering their previously registered mobile number; a one-time code is delivered on that number. The customer then inputs that code into the profile screen triggering Omneos verification of the profile.
A form of passwordless authentication centred around technology such as fingerprint or face scans, or continuous skin/heartbeat contact - Commonly used on smartphones and smartwatches.
Leverages a dedicated third-party app such as Google Authenticator or LastPass to generate login codes to confirm identity, often used by sites such as Facebook or Twitter to add new devices to a user profile.
If brands have a native mobile app, when a user has finalised the initial single or multi-factor authentication process, they can then trust that app on a particular device, requiring no ongoing authentication with each use when that device is unlocked, as the authentication is happening to the device itself. Your app can detect whether a passcode or some other biometric security is in place and only ask for continuous authentication with each use if it is not active.
Multifactor uses more than one authentication factor to log in a user. Such as security questions, PIN codes or any other methods mentioned above.
Why go passwordless?
Improved User Experience
No more user memorised secrets and a streamlined authentication process reducing steps to login in a known user.
User-controlled passwords pose vulnerability. Responsible for 81% of breaches, using Credential Stuffing and Brute-force attacks, among others.
The email and password pairs you currently store for thousands of customers are probably your most significant security liability and much more severe if stolen than personally identifiable information, such as name and email, alone.
Increase Customer Trust
With the cognisance of information misuse rising, it's crucial to assert security to customers creating a profile with your brand. The emergence of sites like haveibeenpwned.com the allows consumers to check the use of their email address online mean authority signals increase a sense of trust.
Reduce the cost of database maintenance and support time spent on password resets. According to Forrester, the cost of a single password reset averages $70 while Gartner estimates that 20% to 50% of all help desk calls are for password resets.
Better in-store experience
Removing the barrier of a password means that profiles are created, edited and accessed while customers are physically in-store. Meaning that there is no need to finalise the profile creation process after the in-store shopping experience.
Don’t get left behind
Ant Allan, Vice President-Analyst at Gartner has predicted that “By 2022, Gartner predicts that 60% of large and global enterprises, and 90% of midsize enterprises, will implement passwordless methods in more than 50% of use cases — up from 5% in 2018.”
When to ask for authentication
Many experiences can be delivered to known customers who don't require a new authentication to have taken place. In most cases, a customer returning to your site after a previously authenticated session or via a personalised direct email communication is enough to display recommended products and content and to store visit information and capture new, non-identifiable information or preferences.
You should, however, confirm you’re serving the right customer when you:
- Allow them to view, update or add personally identifiable or sensitive information as defined by the Australian privacy principles (APP)
- Take an action that would take payment from a previously saved payment preference
- Publish content to another person or a broader audience in the name of the customer
- Review detailed purchase history or other activity that places the customer has known locations at known times
How to adopt a passwordless approach
Invest in technology - Choosing the right technology partner is key. Criteria such as accuracy, security and usability need to be taken into account (this is where Omneos Profile Portal comes in)
Understand the user journey - Understanding how passwordless technologies reduce friction in the user experience is one piece of the puzzle. It also critical to understand when it's required throughout customers journey with the brand - this differs depending on the offering.
Devise an adoption strategy - Once you’ve decided on a trusted technology partner and gotten in-depth information about how users might use the passwordless approach in your environment, the next step is to understand how to help customers understand, adopt and utilise the feature.
The Era Of Password-Less Authentication
Embrace a Passwordless Approach to Improve Security
A Research Study on ‘Cart & Checkout UX’
What is two-factor authentication?