Going passwordless in online shopping

GUEST BLOG: In the contributed blog post, Ian Lowe, head of industry solutions, EMEA at Okta, explains why passwords can cause such an issues for people shopping online, and how technology can help remove this difficulty.

The history of online retail is an evolution towards customer ease. Regardless of the retailer being a brand steeped in history and physical stores, or a startup brand built on social and mobile platforms, frictionless business has become the Holy Grail to maximise revenue from online spending.

One process that has rightfully been placed under huge scrutiny is the humble login. The typical combination of username and password has become a major source of frustration and lost business.

The awkward truth is that – faced with often cumbersome requirements and frequent problems logging in – many users simply abandon accounts or purchases.

The good news is that the converse also applies. Our recent research across more than 20,000 consumers found that – globally – nearly 60% would be more likely to spend more money when services offered a simple, secure, and frictionless login process.  In the UK, that number shifts to 64%.

This finding is consistent across all sectors and industries. But the issue is acute for those targeting millennials and Gen Z: our study found that nearly a third (29%) of UK 18-29 year olds don’t care about their digital identity, and just want to be able to buy things quickly. The message is quite clear: speed sells.

While some friction is necessary – and inevitable – to establish trust and provide security controls, our research shows that passwords have now reached the tipping point: almost two-thirds felt overwhelmed with the number of usernames and passwords they have to manage.

The negative feeling begins with password creation. In our research, 33% of respondents indicated feeling frustrated when they have to create a password that meets certain requirements.

And even if customers grit their teeth and persist in setting up username and password log-in, the problems only get worse. 63% of respondents report that at least once a month they’re unable to log in to an account because they forgot their username or password, with 24% encountering this issue at least once a week, and for 6%, it’s a daily occurrence.

Then there is the issue that passwords don’t work as they should against the complexity of modern attacks. People – understandably – suffer password fatigue and reuse passwords. At the same time, attackers now have access to sophisticated tools, making it really easy to compromise even the most complex password that opens up multiple accounts.

At this strategic level, passwords are incredibly weak. Password vulnerabilities account for more than 80% of breaches. As of November 2022, the most common password in the world was still ‘123456’ – with one country (the UK) even more exposed as the most common password on domestic shores is ‘password’. And in the light of increased publicity around the impact of such breaches and weakness, potential customers are no longer reassured by a ‘password-protected’ service.

Friction, frustration, and fear do not make a positive user experience. Or successful businesses.

And for retailers, this is critical as our study shows that levels of intolerance increased when signing up for retail: concerns backed up by Auth0 research that showed 83% of consumers have abandoned their cart or sign-up attempt because the login process was too complicated.

If user experience is the natural selection of technology, passwords are now dinosaurs.

Indeed, according to Gartner research: “By 2025, organizations adopting customer identity and access management (CIAM) with converged fraud detection and passwordless authentication will be able to reduce customer churn by more than half.” That level of business improvement means that it will be only those online retailers that nail passwordless that survive.

And such numbers are even before businesses take into account issues such as accessibility. Vision or cognitive impairments, or limited motor function prohibits users from navigating cumbersome authentication processes that demand the user to remember and enter a long, complex password. In these instances, doing business better is not only more inclusive, but again a source of substantial competitive advantage.

To try and remedy these issues, the move to passwordless login centres around the use of existing, trusted sources of customer identity.

Much of the groundwork has already been done.  In the last few years, the FIDO Alliance, an open industry association, has helped businesses and users authenticate with maximum security and minimum friction. The WebAuthn standard provides the technological foundation by enabling brands to authenticate users with public key cryptography instead of a password.

Our research found that protocols built on this standard – such as social login and multi-factor authentication (MFA) – are now seen as table stakes (though it seems that there is little support for biometric authentication). The issue is however, not so much one of which technology to choose, but how best to implement it.

In this regard, the move to passwordless can require dedicated development resources over a sustained period of time, along with scaling, updates, and maintenance after the initial implementation.

It is for these reasons that most businesses look to a specialist partner. But with multiple studies and pieces of research now showing that passwordless decreases friction and increases conversion, this is an investment in a necessary evolution.

Data Center
Data Management