Passwords are broken. The fact is that most people choose weak passwords or use the same password for multiple applications (“123456” bypassed “password” was the most common password in 2013). Even hackers pick terrible passwords. About 2,000 passwords belonging to hackers were leaked last year, revealing, “hackers use weak passwords just like the rest of us.” Some findings:
- Just 2% of hackers’ passwords used a mixture of lower case, upper case and numbers. 
- 30% of the passwords used numbers, with “1” as the most commonly used numeral. 
- A mere 6% bothered to include special characters. Hýža found that the following special characters were not used at all: , = ~ | [ ] 
Password managers are not as secure as people think. Researchers looked at the security of five popular password managers – LastPass (breached just a couple months ago), RoboForm, My1login, PasswordBox and NeedMyPassword. These managers run on web based browsers and tend to have critical flaws. In 4 out of 5 managers, researchers reported that attackers have a high probability of stealing credentials from a user’s account . In today’s day in age, it seems there’s really no excuse for this. There is a wide range of password alternatives available from wearables to other biometrics tools. 
Bottom line? We need a better system. A 2015 data breach investigation conducted by Trustwave showed 28% of all data breaches happened as the result of weak passwords. Two things are certain – there is no technology that’s completely failsafe and as long as there is data to steal, criminals will find a way to do it for profit. Multi-layered authentication adds a “degree of security”  which is beneficial for merchants, making it significantly more difficult for fraudsters to penetrate multiple layers of security than it is for them to hack a password. As long as there’s money to be made, there will be criminals ready to steal it.
Background on Passwords as an Authentication Tool
The industry is currently at a crossroad with the progression of password authentication. Two-factor authentication (2FA) and multi-factor authentication (MFA) is being heavily promoted as it can significantly reduce the need for a password and because it has two or more levels of security that validate the identity of the user.  Password or not, all single-factor authentication systems are flawed and pose serious security problems. Experts are predicting the incorporation of biometrics into future authentication methods due to the success of initial uses like the Touch ID in the Apple iPhone and the rise of wearables.
Why Passwords Alone don’t Pass Muster Anymore
There are two reasons for this: 1) even strong passwords are at risk of being hacked, and 2) more than 50% of consumers use the same credentials across all their online accounts, putting all their online relationships at risk if a breach happens within just one account. Hackers can use sophisticated algorithms to guess passwords by running through millions of combinations in a relatively short period of time until they find the right one.  To combat this, alternatives like password-on-demand have been introduced. With this method, a password is texted to a users mobile phone on an as-needed basis, eliminating the need to memorize a password to sign into an account. Passwords leave a lot to chance. They’re only as good as the strength with which they’re created and frankly, people are not great at choosing passwords. “Password1” and “12345” are routinely at the top of most popular password lists and many people use the same password across networks and sites. Despite the technological controls that can be put in place, the user and their choice of a weak password is the weakest link.  Heartbleed demonstrated the devastating repercussions of weak passwords, but it didn’t stop there. Popular sites like Evernote, LivingSocial and Drupal also had passwords stolen even with encryption. 
Given the numerous vulnerabilities of passwords, it seems logical to eliminate them altogether. Passwords-on-demand are a step in that direction, a step that is shifting the industry toward 2FA as a solution for security concerns.
The Move to Multi-Factor Authentication
Multi-factor authentication uses two or more components to verify a user’s identity. An everyday example of this is an ATM, which requires both a user’s bank card and a PIN to withdraw money. There are a variety of MFA methods, and they all depend on the user verifying at least two of the following three things:
Something you have – this is a physical object possessed by the user (a bank card, a USB fob with token, etc)
This is where smartphones and NFC technology have stepped up. Many online services have used text messages to send codes to a user’s phone. Google Authenticator goes one step further by generating a code that opens in the LaunchKey app automatically (in case you don’t have a cell signal at the moment), enabling the user to simply swipe the phone to demonstrate you have the code. 
Something you are – this is a physical characteristic the user has (iris structure, fingerprint, voice, etc.)
This element is where biometrics plays a key role. Digital fingerprints have already become mainstream, with technology like the iPhone’s Touch ID, but there are other technologies that are also on the rise that use physical characteristics to confirm a person’s identity. Facial recognition technology is being tested to use devices with cameras (laptops, tablets, smartphones) to confirm facial structure and patterns. Even a user’s heartbeat can be utilized, since each rhythm is unique. Some startups offer bracelets that will track a user’s pulse and use it to authenticate and log them into accounts automatically.
Something you know – this is a secret the user knows (password, PIN, user name, etc.)
This element is where the password still has some power. Smartphones can be lost and tokens can be hacked. Even some biometrics readers have been tricked or worked around by fraudsters.  Remember, no one-factor authentication is completely failsafe. Something a user knows, like a password can strengthen security when used in conjunction with other factors.
Different Components of Two-Factor Authentication
There are a number of alternatives to passwords that, when combined, significantly increase security and keep accounts and payments protected. Some of the most popular security features are outlined in the table below:
|TOUCHPOINT||SECURITY FEATURE||WHAT IT DOES|
|ACCOUNT CREATION – this touch point is where the user registers or sets up an account. This is the first opportunity a merchant has to validate that the person attempting to register is who they say they are. This prevents unauthorized users from attempting to login from a person’s account in the future.||TEXT TO PHONE||This method allows a merchant to associate a device with a registered user and his/her account.|
|IP ADDRESS||Merchants can log the IP address of the machine or device used to create an account and use that IP address to validate a person’s identity in the future, since IP address are unique to each device.|
|CAPTCHA||Captchas prevent automatic logins from bots or computers, however this security method has a 3% conversion rate loss. |
|LOGIN – Once a user creates an account, the next touch point is when they actually log in to the account.||USB FOBS||USB fobs with an LCD screen generate one-time use passwords. The user presses a button on the fob and a numeric code is generated and displayed for 30 seconds, which the user must enter into the application or site they are trying to access. |
|SECURITY QUESTIONS||This is not a desirable form of authentication as they can be easily hacked. The level of security is equal to that of a static password.|
|PURCHASE – the final touch point is when the user actually attempts a purchase through their account.||AVS||This authentication method verifies an account holder’s billing address with the credit card issuer. AVS compares the address information that the cardholder provides with the information on file with the Issuer and sends a result code to the merchant indicating if the address is a match or not. |
|CVV2||This security feature is a popular tool for CNP authentication as it requires the user to enter the 3-digit CVV2 code found on the back of a credit card, verifying that the person attempting to make a purchase has the physical card in their possession. |
|Risk-based 3D Secure||This feature assigns a risk profile to each transaction (low, medium or high) to determine whether or not to trigger the 3D secure protocol. This eliminates unnecessary friction while protecting higher-risk transactions by asking the consumer to enter their 3D Secure information to authenticate.|
|DEVICE-SPECIFIC – these tools and methods are meant to validate a cardholder through the device they’re using.||DEVICE FINGERPRINTING||This method tracks characteristics (software versions, screen size, available fonts) associated with a specific device to create a unique profile of that device.|
|Checking for jail broken mobile devices||This allows merchants to detect jail broken devices, which can pose a threat since the security checks may have been removed in the smartphone operating systems through malware or other nefarious means.|
|Suspicious behavior and anomaly detection||This proactive measure is more secure than just requiring a signature. By using predictive analytics and advanced detection technologies, merchants can find behavior anomalies that may direct to compromised machines.|
|Identifying potential fraudsters using identity-masking tools||There are several sites that help browsers mask identifying characteristics and also tools available to discover fraudsters who are using this technology. |
The Give and Take of Two-Factor Authentication (2FA) & Multi-Factor Authentication (MFA)
Authentication is the process of granting access to something of value. If it is done haphazardly, it can negate all other security measures in place.  Single-factor security systems like passwords are low-hanging fruit for fraudsters. Multi-layered systems move that fruit upwards, making it more difficult for fraudsters to penetrate.
Despite this, the name of 2FA alone can be enough to put some merchants off from using this option to increase security. To some, it implies that it will complicate the process for the end user to gain access, login or make a payment. But placing end user experience ahead of increased security is a mistake. The best option is to find balance between the two. Any gain from exceptional user experience is sure to be lost if a customer’s information ends up getting hacked. Thankfully, emerging technology has helped to create the necessary balance that facilitates streamlined end user experience in addition to sufficient security measures.
Near Field Communication
Near Field Communication (NFC) has utilize RFID technology to let smartphones and other devices wirelessly transfer data through radio communication within close proximity. Different from other wireless data technology, NFC doesn’t require devices to be paired before use.  Where NFC shines is in its user experience mobile apps can use NFC to securely transfer data and automate password, user ID and second factor passcode login for a seamless experience. 
NFC can be invoked at any touch point to verify a user, from initial login through transaction completion.  This eliminates the need for a password and isn’t confined to mobile phones either. Many wearables utilize the technology, allowing users to make payments with a simple tap of their smartwatch.
Wearables have served as a launching point for biometrics, technology that is gaining momentum as an authentication method. Gartner forecasts that 30% of organizations will use biometric authentication on mobile devices by 2016. The possibilities are endless and many organizations have already begun to incorporate voice recognition, iris structure recognition and face topography into authentication systems. When used alongside passwords, security is greatly increased without adding significant friction to the user experience. 
Moreover, as a mobile device itself provides a rich node of identity-relevant contextual data, this information can also be used to increase the trust in the claimed identity. It is possible that the combination of passive biometric authentication and contextual authentication will provide sufficient assurance in medium-risk scenarios without the need for “gateway” authentication events using passwords or tokens. 
These emerging technologies and multi-factor authentication are setting the stage for the upcoming revolution in payments. This revolution is largely driven by the Internet of Things (IoT) and consumers’ increasing ability to pay through any object at any time means merchants need a flexible payments platform with layered fraud prevention. Passwords are inherently weak. Their vulnerabilities are easily exploited by fraudsters but when used in conjunction with another form of authentication, can boost security and enable merchants to focus their efforts on turning a profit.
The IoT alone will present an $11.1 trillion market opportunity for merchants who can protect and harness data and consumer preferences through an agile gateway. Merchants need to find a cost-effective, frictionless way to diversify risks and increase the resilience of the system. By remaining fluid and having the ability to layer both existing and emerging pre and post-sale fraud prevention tools together, merchants should consider how their gateway’s capabilities can help retain their legitimate, loyal customers and revenue, even as the payments landscape evolves.
Verifi, an award-winning provider of end-to-end payment protection and management solutions, was founded in 2005 to help our clients effectively manage the payments challenges they face everyday. Verifi helps merchants safely process payments, combat fraud, prevent and resolve costly chargebacks, as well as increase billings and keep loyal customers. Our best-in-breed solutions and white glove support are trusted by a wide range of industries from emerging companies to the Fortune 500. Headquartered in Los Angeles, California, we process more than $20 billion transactions annually and currently serve more than 12,000 accounts internationally.