According to research on consumer password reset, nearly half (48%) of users said that when they are told that the new password cannot be the same as the old password, they are “very likely” to abandon the site. Another 21% said they “somewhat” might abandon the site.
Beyond identity learn, Based on more than 1,000 responses, it was also found that a quarter of online shoppers are willing to abandon shopping carts worth more than $100 if they have to reset their passwords to check out. On average, the researchers found that the highest amount respondents were willing to give up was an online shopping cart of $162 when they encountered a password problem while shopping.
In other major survey results, nearly 50% of respondents said that due to login issues, their bill payment account password must be reset at least once a year. Baby boomers are the generation most likely to use old passwords when resetting account credentials.
“Consumers have a lot of friction with passwords,” said Jing Gu, senior product marketing manager at Beyond Identity. “In many cases, consumers cannot complete the interaction with the product, whether it’s transferring money, paying bills, buying from a gaming website, or accessing information on a trip. Passwords are an income issue. When customers get out of the car, you can lose them forever. “
Gu added that the results of the study are related to some well-respected industry studies in the past few years. Gartner has Report 20% to 50% of service desk calls are to reset passwords. Forrester Research found that the average help desk labor cost for a password reset is about $70.
A passwordless future?
Beyond Identity’s research inevitably sparked discussions about passwordless authentication, a technology that will cause a series of reactions from security practitioners.
This fall, the company released a new product for business-to-consumer websites, giving website visitors the option to set up passwordless authentication for themselves. It is currently being piloted by companies in the financial technology, tourism and software sectors.
How it works: The tool allows visitors to choose passwordless authentication by registering with their username (usually an email address). Then they will receive a link; when they click, they will perform a public-private key pairing and issue an X.509 certificate. From then on, when visitors visit the site, they can enter their email address and log in completely.
“The burden of identity verification is removed from the user,” Gu said.
Sounds too good to be true, right? Security analysts and researchers disagree on this new technology. Some are all-in; others are not so sure.
Frank Dickson, IDC’s vice president of security and trust programs, is more cautious, but he said the industry has taken a step toward reducing passwords.
“The reality is that consumers are making supplier choices based on the friction that arises,” Dixon said. “The company is weighing technology investment decisions against fraud fees and lost customer opportunities. Obviously, customer e-commerce experience is becoming a differentiating factor. More elegant consumer authentication is not a question of’if’ but’when.’ ‘It will be a story of evolution, not revolution.”
Jack Poller, a senior analyst at Enterprise Strategy Group, believes that there will be more passwordless applications in 2022 and pointed out that Microsoft has been promoting passwordless authentication by setting them as the default settings in Windows 11. As more and more Windows 11 machines appear, especially during holidays, this default setting will help more users better understand the new authentication method.
“Then consumers will ask for their most precious and important online accounts-banking and shopping-without passwords,” Poller said. “Next, they will want their work accounts to have the same convenience and security.”
Some security researchers are skeptical.
Netenrich’s chief threat hunter, John Bambenek, said that passwordless authentication is promising, but in practice, it just becomes “no authentication required.”
“What really helps account takeover is the use of multi-factor authentication and password managers, which helps minimize password resets or enable the ability to detect account takeovers,” Bambenek said. “Although e-commerce sites want to maximize order flow, this priority cannot lead to safe competition.”
JupiterOne’s CMO Tyler Shields said that companies need to work hard to create an easy-to-use security experience that provides a sufficient level of security for the technology required by modern consumers. A good example is the move to single sign-on and passwordless authentication.
“For decades, users have not been able to maintain correct passwords,” Shields said. “This will never change. Therefore, innovation must create an easy-to-use alternative that provides appropriate security and a better user experience. Enterprises must find the appropriate balance between technological innovation and the security of traditional models.”
