In October, 2023, the FIDO Alliance published their latest Online Authentication Barometer Report, outlining the latest consumer habits and trends when it comes to adopting authentication technologies. This survey of 10,000 users across 10 countries provides a wealth of information on how user perceptions about passwords and passwordless are evolving.
In this blog, we will delve into the details of this report and provide our takes along the way. For simplicity, we will focus on responses from US-based users.
Passwords are common and cumbersome
Passwords remain the de facto way in which users log in online. Almost 29% of respondents used passwords without 2FA to access a range of apps from banking and social media to streaming and work accounts. Worryingly, this number was 36% for work computers or accounts, highlighting the need for organizations to tighten authentication processes and adopt MFA for better security.
But just because passwords are common doesn’t mean users like them. Respondents manually entered passwords almost 1639 times per year (between 4 to 5 times per day), putting a number to the friction users feel when passwords are the only option.
This friction is beginning to have business consequences as well. Around 47% of respondents admitted to abandoning an online purchase in the last month because they forgot their password. This number is even greater for abandoning the app altogether – almost 60% of respondents said they had given up accessing an online service in the last month because they couldn’t remember their password.
It might feel comforting for app builders to choose password-based authentication because users are familiar with them, but as the numbers above show, familiarity is starting to breed contempt.
Encouraging biometrics metrics
Biometric authentication can be a divisive topic. Proponents will point to their ease of use and elevated security compared to passwords and other traditional authentication methods. Skeptics will point to lack of user awareness and privacy concerns (many of which are unfounded). The Online Authentication Barometer Report offers some insight to break the tie.
23% of respondents chose biometrics (fingerprints, face scans, etc.) as their most preferred authentication method, the highest number among available options. Around 22% also chose biometrics as the most secure authentication method, which was also the highest percentage.
FIDO-based biometrics based on standards such as WebAuthn and passkeys aim to achieve a balance between security and user experience by letting users log in to online apps the same way they unlock their devices. Privacy concerns are also taken care of – since FIDO2 is based on public-key cryptography, users’ biometric data is never shared with any party and is only stored locally on their device.
Organizations that think passkeys are not well-entrenched in users’ minds may have a point, but awareness of passkeys and a willingness to adopt passkeys is increasing by the day. Around 63% of respondents stated that they were very or somewhat familiar with passkeys as an authentication method to access online accounts. This, coupled with the fact that 66% of smartphone owners are projected to use biometric authentication by 2024, highlights that people are willing to move past the pain of passwords.
Credentials in crosshairs
We’ve covered the user friction that passwords cause, but they also remain one of the biggest security weak links for any organization. People using common passwords, reusing passwords across sites, and the fact that passwords are a shared secret all contribute to attackers’ continued focus on credentials.
With the rise of AI-assisted cyberattacks, users have witnessed an increase in both the number and sophistication of online scams seeking credentials. 58% of respondents cited an increase in the number of suspicious messages and online scams in the past few months, while 54% felt that recent scams were more sophisticated.
FIDO-based biometric authentication is unphishable because there’s nothing for attackers to steal. Even if they set up fake credential phishing sites, passkeys only work on the site or app where the public key resides. Whether as the primary authentication method or as part of phishing-resistant MFA, biometrics are a good bet against falling prey to online attacks.
Conclusion
The journey to passwordless will not be instantaneous, but it’s moving along quickly due to strong ecosystem support, increasing user awareness, and dissatisfaction with the password status quo. We look forward to reading next year’s Online Authentication Barometer Report as a further marker of progress.
We hope you enjoyed reading this piece! For more updates from the world of authentication and identity, subscribe to our blog.
