Defining The Passwordless Generation

What is the definition of cross-generational technology?

This is a question most tech companies try to answer. Unfortunately, few succeed . Or worse, some fail to even ask the question.

If you work or worked in technology, you should be familiar with the unspoken assumption that the older population of users are not the “target” user. We have seen older people trying to use smartphones, mobile apps, software, computers, and other tech gadgets. What do we all have in common when it comes to our collective bias? It is our assumption that older people simply are not the tech generation and there is little use in trying to reeducate them on how to properly use new gadgets and tech.

On the other end of this bias spectrum is our assumption about young people. Yes, these include the popular millennials, most of whom were born into the internet era. It also, of course, includes the Gen Z population who are all born into the Internet Era, as well as into our Smart Connected World Era. We consider this population to be tech advanced. About them, we quickly assume, “Oh, they’ll get it, they’re young and all have smartphones.”

I’ll let you in on a little secret: what I just described has a name, and that name is Ageism. Ageism is a sort of Generational Bias. Most research on Generational Bias found online covers age biases in the workplace, but this kind of bias is also expressed in products such as computers, gadgets, web and mobile apps, and so on. 

Though the list of products where Ageism exists can be quite long, here I’d like to focus on a single part of almost every digital product nowadays: Digital Identity.

It is well-known that I work at a cybersecurity company that specializes in passwordless authentication solutions for both employee and consumer use cases.

This gives me an incredible platform to conduct studies and research on this subject, and allows me to have a peek into the intimate relationships we have with this technology. Humans are the only creatures that increasingly tie our lives to digital ecosystems. We’ve done this every year for the past almost 40 years and we’ll continue to do so for generations.

Let’s begin this conversation on Ageism in tech from the point of view of older persons, meaning people above the age of 60. As stated, most people in tech assume that older people are tech novices who rely on their younger relatives to assist them with anything technology related. These are tasks such as signing up for a web service, setting up their online health provider account, banking online, and the like. 

I’ve had a theory on this subject for a while now: a reason why older people are assumed to be tech novices compared to younger generations is because we don’t bother to design with them in mind. We also don’t allow older people adequate time to adopt new technology.

When we get a new gadget, what do we do? We play with it and try to figure it out. Keep in mind, we all require different amounts of time for this. Some might take 10 minutes, some might take hours or days, but no one comes to help us when they see us struggling with it, right? You might ask, why? When our peers look at us — and when I say us, I’m talking about my age group (35-45) and those younger —  they assume we will figure it out. Again, why? Because we are still within a “young” bracket.

Many of you are thinking,“But Yan, my grandparents can’t operate an iPhone, or manage their passwords…” I totally understand where you’re coming from. I found explaining to my parents how to sign up for a grocery delivery website agonizing. But, I showed them once what to do and then let them fail. Yes, you read that right. I let them fail numerous times. I stood by for moral support —not tech support.

Guess what? They now use the grocery service without seeking my help or that of others. They have tablets, computers, iPhones, smart TV’s and so forth. They use it all quite well.

A few months back our CTO asked me if we had data on how passwordless technology impacts user behavior across different age demographics. Specifically, he wanted to learn how an older generation might perceive passwordless authentication methods. The answer was no — we did not have such data — but the conversation did not end there. We brainstormed on the subject and after an hour of trading assumptions, I said let’s do some research.

And so, we conducted and published a quantitative study to learn about Login Method Preferences of Older Adults.

I, too, had assumed that most older people are tech novices, especially when it comes to digital identities: creating accounts, managing passwords, etc. I assumed that older people would be bewildered by what we are building at HYPR and what passwordless technology even is.

I could not have been more wrong. To my surprise, without any information about our solution or how it functions, the results were eye-opening.

100 participants registered for the study. We filtered them by age group, and ultimately 85 qualified. The first data point to gather was how they access their digital accounts. To aid this we focused on healthcare and finances since these are two important aspects of life just prior to, and during, retirement.

As seen in the above graphic, we learned that most respondents accessed their healthcare and financial accounts through websites and mobile applications, which shows that they embrace both digital platforms and use smartphones. My prior assumption that older people don’t use mobile apps turned out to be incorrect.

The next big revelation came when we realized just how many people:

a. have at least a basic understanding of what passwordless authentication is and the added value it may bring; and 

b. are eager to at least see ors use passwordless technology, based on their current authentication experience.

We asked why they chose one over the other. The answers inspired us, and showed me how we drastically underestimate the tech savviness of older people.

Even though 46% said they would prefer to continue using passwords vs. potentially going passwordless, their responses to “why?” indicate that a main reason could be lack of public knowledge on passwordless technology’s many benefits.

If we pay attention to the 56% of those who did respond positively to the prospect of a passwordless future, and the chance to abandon the use of passwords, the responses about why were simple. Respondents said it is difficult to remember passwords, and they already use solutions that provide a passwordless experience. These are the biometric features embedded on their smartphones.

Older people are tech savvy and some say they are already (sort of) passwordless!

What about the younger generation? Why did I involve the “tech advanced” generation in this conversation?

As I wrote before, Ageism is a real problem in product development. As a tech community, too many of us assume that older people are tech novices. On the other end of the Ageism spectrum, we assume that our, and even younger generations, will definitely understand new technologies.

Well, here’s another surprise for us. A recent HYPR study on Millennials’ and Gen Z’s usage of password managers reveals that this idea of young people “getting it” is also far from the truth! 

Indeed, most if not all people born after 1985 are masters of their digital universe. Certainly they are power users of social platforms such as Instagram, Facebook, Snapchat, and the like. However, our study found that younger people fall short of being fully digitally literate. I’m not trying to offend anyone here. Yes, many of our young participants displayed some good security hygiene. Yet, in our research, as the age of respondents declines, security hygiene as it relates to digital identity actually worsens.

Months ago we began a journey to discover how younger people use password managers. Mainly we sought to understand, “Do younger people utilize password management apps, which ones, and how?”.

Once again, the results shed light. Many technology and security professionals like to think password managers are the way for consumers to combat password reuse and maintain strong passwords — but this assumption fails to account for a few things:

a. younger people do not care about this issue as much as the tech community thinks they should; and

b. younger people do not care about their passwords as much as some may think; and 

c. oftentimes this group does not even understand why they would even need to have complex passwords and use a different one for every account.

A whopping 61% of younger participants said that they do not use any kind of password manager. Of the 39% of those who use tools that they consider password managers, these percentages are in the single digits apart from LastPass pulling in an unremarkable 16%.

An interesting aspect of this result is how the (39%) of people who said they do use password managers answered. They referred to “Google Chrome” (27%) and an “Other” category (34%) comprised of iOS Keychain plus other OS and web browsers’ password-storing features.

The lesson here is that most people who think they use a password manager do not actually use one. We found that most people in the younger group we studied do not even understand what password management apps are.

Diving deeper into the younger generation, the numbers are even more interesting across Gen Z with 76% of them not using any kind of password managers. From their responses we learned that most of Gen Z:

a. doesn’t understand what the purpose of these tools is; and

b. doesn’t understand why you would even need one; and

c. didn’t even know these tools existed! [my personal favorite!].

I recently learned something interesting about digital identities and the even younger generation. This generation is comprised of children who were born practically holding a gadget. As I told the audiences of my recent talk at Identiverse 2020, these are children ages 2–3 who among other things try to swipe the images on TV’s at my mom’s daycare. Young children, some of them prior to learning to talk, know how to use screen-navigation gestures.

During a conversation with a fellow creative from a company that provides a platform for children, I learned that they are struggling with the creation of multiple accounts per user. When faced with account creation, children tend to put in random characters into the password fields just to gain access. They rarely devote any thought to what kind of password they want to create, how to remember it, why they need it, or how to manage it. So every time they come back, they simply create a new account instead of going through account recovery since it is faster to just keep creating new accounts.

It will be interesting to learn more about how the youngest children understand passwords — if they even comprehend passwords at all.

As we learned from the two divergent assumptions the tech community makes, we now see that the Older Generation is tech-savvier than we thought and that they want better authentication methods. They are using their smartphone biometric authentication features to manage their digital identities for years now. To the younger generation, as tech advanced as they are, passwords are not their intuitive choice of authentication method. All they’ve known from early age is smartphones that utilize biometrics, or short numeric PINs for login. Passwords just aren’t cutting it for them.

This research started with a conversation with our CTO about authentication and older users. A business question we wanted to answer was whether passwordless adoption by the enterprise require the organization to train in their users an entirely new kind of human behavior.

My belief today is that it does not. In fact, end-users (people!) are so well versed in next-gen login methods that it is the enterprise that may be playing catch up with their consumers and employees.

Older people have grown to love using their face or finger for authentication, and the younger folks don’t know any different. They just look at their phone and they’re in! Is there a better user experience or a faster means of access? Likely not.

Also, neither group wants to use passwords. Forcing them to do so would actually be going backwards at this point. If we want digital identity to be truly cross-generational, then we should continue to build on top of this passwordless behavior.