Remembering dozens of passwords is a nigh-on impossible task for most people, meaning they either forget them – and then have to endure lengthy re-registering processes – or write them down, thus increasing the risk of being hacked. A number of solutions to this 'password chaos' are becoming available, as Jane Cooper discovers.

A senior executive in the payments industry is discussing how biometrics are increasingly being used to authenticate transactions instead of remembering passwords. “Look! This is what I do with my passwords,” he says, as he opens his notebook. On the back page he has written down his passwords alongside their corresponding usernames for his various accounts.

As someone who works for an organisation that authorises payments and is in the fraud prevention business, he should know better. What happens if someone steals his notebook? And since he keeps the notebook on his desk next to his computer, a thief would not even have to work that hard to access his accounts.

The executive describes the situation as “password chaos”. Gone are the days when a handwritten signature would suffice; now everyone is expected to remember usernames, passwords, passcodes and personal identification numbers (PINs), all of which should be unique to each account. The simpler the password, the easier it is to crack; the more complicated the password, the more likely it will be written down.

Settling the chaos

One way of overcoming 'password chaos' is by using a more secure, digital version of the notebook: the password manager app. A variety of solutions are available and passwords can be encrypted and stored in a digital vault that can be kept in the cloud or on a device and unlocked with a master password.

This removes the need to remember passwords, but customers who trust these solutions to store their credit card and online banking details can run into problems. Aside from the risk of the master password being stolen, there are other annoyances. When Canada’s TD, for example, disabled the paste function for the latest version of its iPhone app in March 2015, some customers complained that they were unable to paste their long passwords from a manager app. Committing a simpler password to memory, they argued, was less secure. Since then the bank updated its mobile banking app so that passwords can be pasted into the log-in fields.

These kind of problems have been spurring innovators to focus on solutions that simplify the password chaos and, in some cases, remove the need for passwords altogether. AnchorID is one such technology company that envisions a password-free world. “Passwords make me crazy. I bet they make you crazy too,” David Schropfer, the company's CEO, said during his presentation at the Finovate financial technology conference in September 2014 in New York. He gives the example of wanting to use an app, but then hitting the username and password field. “I know when I see this that I’ve just lost the next three or four minutes of my life,” he said.

AnchorID's way

AnchorID is a platform that removes passwords from the log-in process and provides a universal username, like a master key, that can be used across multiple sites. Instead of creating a unique username and password for each site, the individual uses a single username to log in (providing the site also supports the AnchorID solution). The password field becomes obsolete as the solution uses the mobile phone to authenticate the user. Once the user has entered their username, a message is sent to the phone to ask if they want to log in. Depending on the settings of the site – or the choices of the end user – the solution can ask the user to tap ‘OK’, enter a PIN, or provide verification with biometric methods, such as voice biometrics where the user speaks a set phrase into the phone, for example. As biometrics solutions evolve these can be added to the AnchorID solution, says Mr Schropfer.

Mr Schropfer explains that even if other people know the universal username (his AnchorID is <d1), it is still safe because the phone is needed to authenticate the user. And if someone steals the phone, they still need to get past the biometric authentication stage.

“With AnchorID, the thief actually has to steal a phone, steal the PIN, fake a biometric print, which is almost impossible, fake the correct geolocation requirements – longitude and latitude – and they have to do all of that before the user reports the phone stolen or transfers the phone to another account,” says Mr Schropfer.

If users have a single username that works across all sites – whether it is social media, e-commerce, or banking – can the master key be stolen? Does this centralise the risk so that fraudsters will be looking to hack that single username, much in the same way as they may try to steal the notebook or a password manager app’s master password?

Mr Schropfer does not think so. “The AnchorID platform is not a password repository. We use three different protocols that generate a 30- to 50-character one-time password, which only our system and the authorised host – our client – can understand. So, if our system was hacked, the only thing they would find are algorithms used to generate passwords, but without any context, such as which account, which host, etc, the information would be meaningless. And, even if the thief was able to generate a request through our platform, the user’s mobile phone would ask for permission,” says Mr Schropfer.

In algorithms we trust

A number of other technology companies are coming up with security solutions that simplify the process of remembering unique usernames and passwords. Ireland-based online security firm Sedicii seeks to eliminate the number of usernames and passwords that individuals use, a situation it describes as “password overload”. One danger of having to remember so many passwords is that people tend to use the same password across multiple sites, and if it is stolen it can then be used elsewhere.

Usually a password is sent by the customer across a connection to a website, where it is then stored on a server. The password can be stolen either by being intercepted en route to the website, or by an attack on the server itself. Sedicii’s TrustInside solution removes these risks by making sure that the customer’s password never leaves their browser and is not shared with the website. It does this with a zero-knowledge-proof algorithm, a cryptographic message that allows the website and the user’s browser to communicate, and establish that they share the same information, without the password having to be sent between them.

The TrustInside server generates challenges to the user’s browser to establish whether the browser knows the password. When the browser responds it does so without giving data that would reveal what the actual password is. Also, the challenges are randomised so that they cannot be recorded and then reused in a ‘replay attack’.

With this solution, the user’s personal information is not shared while it is being authenticated. This sharing of personal information is an important point for Trunomi, a company that has created a platform for customer’s personally identifiable information to be shared.

A race of technology

“Passwords are epic pain points,” says Stuart Lacey, CEO and founder of Trunomi. “Technology is an enabler that is removing the pain points at a pace not done before.”

Commenting on the number of biometrics and authentication technologies that are available, Mr Lacey says: “These are not the holy grail solutions… we are in a race of technology.” 
He adds that it is better for banks to think of a solution as a platform that they can plug into. “It is a commoditised space. If an authentication method works today it is not going to in two years’ time,” says Mr Lacey. He adds that any authentication solution that removes passwords could be out of date by the time a bank has implemented it. Rather than focus on the single solutions, he says, banks would be better positioned if they created an architecture through which to run multiple services. “The pace of innovation of mobile devices will outpace how the banks can keep up,” says Mr Lacey.

Authentication spaghetti

The platform approach is one that Encap Security has taken in eliminating the need for passwords. “Everyone agrees that the password is dead – the smart device is the future,” says Thomas Bostrøm Jørgensen, CEO of Encap. “With the smart device the main problem is that the market is awash with authentication technologies. The problem with many of these is that they just work for specific devices and are quite inappropriate for certain channels. We know that creates a big headache for CIOs,” he says, adding that the situation is one of “authentication spaghetti”.

Encap has created a platform that banks can link into. It uses the native security capabilities of smartphones and tablets in an architecture that allows banks and customers to select the authentication methods that are most appropriate for them. When a customer logs into a web app that is supported by the Encap solution, they can pair their devices with the app and the authentication methods will be different according to the device. If, for example, they add in the latest iPhone, they could authenticate themselves using the TouchID fingerprint reader. If they then want to add an older smartphone to their account, which does not have TouchID, they could use a PIN instead. The solution can be changed according to the needs and risk parameters of the bank and can support a range of authentication methods.

“We are strong advocates of biometrics, but used in conjunction with other authentication factors,” says Mr Bostrøm Jørgensen.

From digits to fingers

Biometrics are nothing new, but it is only recently that banks have started to introduce the technologies to their customers. Bipin Sahni, head of innovation and research and development at Wells Fargo, notes that in the past couple of years there has been a growing recognition that passwords are easy to hack. “Biometrics is something we feel very confident about,” says Mr Sahni. He adds that Wells Fargo has been working on mobile solutions for five to six years, but back then the biometrics technologies were not at a sufficiently sophisticated level. Mr Sahni says that credit must be given to Apple for introducing TouchID and drawing consumers’ attention to the use of fingerprint technology.

In the UK, for example, RBS and NatWest – two brands of the same banking group – announced in February 2015 that they would be using TouchID for authentication for their iPhone banking apps.

Mr Sahni says that Wells Fargo has been conducting an internal biometrics pilot for employees to log into the bank’s internal employee directory. The bank is also trialling eye vein technology. The bank invested in start-up EyeVerify in August 2014, a company that has created the EyePrint ID which transforms a picture of a user's eye – taken with the camera on a smart device – into a key that can be used instead of a password. EyeVerify is also an inaugural member of Wells Fargo’s accelerator programme.

The biometric data of customers is stored on the device so that Wells Fargo is not holding this information. This is the same principle that Barclays adopted when it announced its finger vein reader to its corporate banking customers in September 2014. The reader, which verifies users by their finger vein patterns, means that corporate banking clients can log into the bank’s online banking without needing to remember a series of passcodes. Instead of the PINsentry card reader and a bank card (which may have circulated around offices with the PIN attached on a PostIt note), the finger vein reader means that each user logging into a corporate account can be authenticated.

The finger vein reader scans the patterns and bloodflow of the finger, which Hitachi – the developer of the scanner – says is more secure than a fingerprint reader. Other biometric solutions are also emerging in the banking industry, with a number of trials under way. For example, Canadian company Bionym, which has created a bracelet that has an electrocardiogram sensor, announced in November 2014 that it was conducting trials with banks including Royal Bank of Canada for payments that would be authenticated by an individual’s heartbeat. In March 2015, the UK’s Halifax – a brand of the Lloyds Banking Group – said that it was trialling the technology as a replacement for passwords.

As banks and technology companies race to eliminate 'password chaos', another kind of chaos could be emerging through the sheer volume of authentication solutions that are becoming available. At least with these solutions, however, senior executives will not have to write reminders in the back of their notebooks.


All fields are mandatory

The Banker is a service from the Financial Times. The Financial Times Ltd takes your privacy seriously.

Choose how you want us to contact you.

Invites and Offers from The Banker

Receive exclusive personalised event invitations, carefully curated offers and promotions from The Banker

For more information about how we use your data, please refer to our privacy and cookie policies.

Terms and conditions

Request a demonstration to The Banker Database

Join our community

The Banker on Twitter