Identity modernization for customer-facing applications
Want to loan a friend some money? There’s an app for that. Want to exchange some dollars for Euros? There’s an app for that. In fact, the number of mobile apps that let consumers complete financial tasks that used to require a big financial institution is growing by leaps and bounds.
Fintechs are slowly but surely nibbling away at the services traditionally offered by banks and other companies in the financial sector. Their main weapons? Streamlined processes and slick mobile apps.
The establishment banks – not to mention healthcare institutions, hotels, and other businesses with a consumer-facing online presence – have heard the message and responded as best they can.
Currently, 99% of Gen Z and 98% of millennials already use a mobile banking app for a wide range of tasks for which their parents had to make a trip to a physical bank branch. But there’s a limit to how far banks can go. Many of these new fintechs, using modern IT infrastructure, have simplified customer identity and access management (CIAM) processes, a feature large financial institutions can’t easily match because of the legacy systems they must support.
Barriers to a passwordless future
It should come as no surprise that people don’t like passwords. One Google study revealed that 75 percent of consumers were frustrated by password-based authentication methods. Meanwhile, 48 percent of consumers under 40 feel safer using biometric technology.
Unfortunately, for today’s giant financial institutions, abandoning passwords isn’t a simple matter. CIAM processes are hard-wired into their production applications, typically in several different places. Changing the process would involve rewriting an enormous amount of code, which is particularly difficult in monolithic applications that may have limited documentation and hidden dependencies.
The key to rolling out passwordless authentication for activities like online banking is to decouple identity from applications via an abstraction layer. This makes it possible to deploy passwordless technology from any vendor without recoding the Bank’s apps to support this new capability. All the necessary technology exists, and when properly orchestrated, it can provide customers with a passwordless authentication experience. Here’s an example of a typical customer user experience.
Ali has an account with ‘Canary Bank’ and wants to sign up for online banking. She begins by downloading the Canary Bank app onto her smartphone. Then she is offered the option of signing in with a social sign-up, typically Facebook ID, Google ID or Apple ID. (This is the only time that user name/password credentials will be required.) A bank’s ability to use credentials from a set of IdPs their customers already trust is an example of orchestration in action.
For banks, the next step is meeting the “know your customer” (KYC) requirement. As a check against illegal activities such as money laundering, banks are required to make sure that their clients are genuinely who they claim to be. The two basic mandatory KYC documents are proof of identity with a photograph and proof of address.
To complete this step, Ali photographs both sides of her driver’s license and sends these images to the bank. (For other use cases with less strict requirements, a video selfie or fingerprint is sufficient for this step.)
The third step is to obtain a passwordless credential. A QR code is sent to Ali’s phone, she takes a screenshot, and the process is complete. Ali’s identity, through her phone, is now connected to that unique QR code.
Modernizing the user experience and eliminating friction is a primary benefit of passwordless CIAM but by no means the only one. Removing passwords from the process makes it more secure, as 81% of hacking-related breaches involve passwords. In shopping situations, passwordless CIAM can reduce shopping cart abandonment rates and potentially increase sales, as 18% of retail customers abandon their carts because they can’t retrieve their credentials.
Moving forward with passwordless
Banks seeking to keep up with their fintech competitors in a world of “mobile everything” should begin by decoupling identity from applications. They can wire the various customer journey components required to make this happen via identity orchestration. The result is a situation that was thought to be impossible: superior security with less user friction.
Originally published on Forbes Technology Council on Sept. 27, 2022