User Experience Conquers All
Jay Roxe, HYPR
3 Min. Read | June 5, 2023
At Identiverse 2023, the narrative around removing the password has reached inevitability: it’s not if or how, it’s when. Unsurprisingly, passkeys were a common theme because they’ve achieved the two requirements for finally pushing the 62-year-old password into retirement: They’re faster than a password and they are easier for the user.
In the recent State of Passwordless vol 3, we showed that 45% of Security decision makers think that improving the user experience is the reason to go passwordless. Users have discovered an incredible number of ways to get around security they find irritating (I’m looking at you, Mouse Jiggler).
Adding Pain With Number Matching
Given Microsoft’s recent announcement that Authenticator will now mandate number matching, we’re likely to see even more focus on the experience. The new policy requires that the numbers in a user's password match exactly with those on their registered mobile device. (You can see a video demo here.) This has led to a layer of complexity in the authentication process. Users now have to remember not just a password, but also ensure that certain numbers correspond to those in their personal devices. While CISA’s guidelines for moving to phishing-resistant MFA respect number matching as one way to get to phishing-resistance, the experience is pretty challenging.
Adding Pain With Complexity?
We’re going to see another level of complexity added to passwords with the implementation of the 2024 PCI requirements. Password length and complexity requirements drive users nuts. The Payment Card Industry (PCI) 2024 password length requirement is a perfect example of how security measures can impact user experience. With the updated requirements requiring a minimum of 12 characters for passwords, users are being forced to remember more complex and lengthy credentials. While this might enhance security, it will also lead to frustrated users, increased password reset requests and significant account lockouts. Fortunately, the PCI 2024 requirements also acknowledge FIDO and that this can serve as one or more of the factors required for authentication.
FIDO and Passkeys to the Rescue
So where does this leave us given that both of those changes are designed to address the ability of hackers to use automated attacks to bypass traditional authentication systems? This is why FIDO has developed so much market momentum, particularly around passkeys. First off: a passkey is any FIDO credential. If you’ve been using FIDO for years, you’ve been using passkeys, it just has a new name.
Passkeys offer a more streamlined experience for users by reducing the need for remembering complex passwords. The good news is that with Apple, Google, Microsoft and a number of the password management solutions offering to support synchronized passkeys, it’s increasingly easy for companies to adopt passkeys and for consumers to use them. It’s soon going to be as natural as anything that we do to authenticate on our phone today.
The User Experience Holy Grail
From a user experience point of view, passkeys can help us to achieve the holy grail: having an authentication experience that is simpler and faster than passwords. HYPR not only supports passkeys through our app, we also provide what Apple, Google and Microsoft don’t — the servers and infrastructure required for organizations to authenticate based on passkeys. Beyond that, we also offer Enterprise Passkeys: passkeys bound to a single device with the controls that enterprises need to feel confident that they have control of their credentials and authentication strategy.
Interested in finding out more about how passkeys can support your users or consumers? Contact us.
Jay Roxe is Chief Marketing Officer at HYPR where he is responsible for elevating the company story and helping to define the passwordless security category. Prior to joining HYPR, Jay held the same role at BitSight where he helped to define the Security Ratings category. Jay has more than 20 years of experience in software development and marketing with expertise in security, electronic medical records, and development platforms at a variety of companies including Rapid7 and athenahealth.