The first step for onboarding any customer is identity proofing or identity verification. This is done digitally or in-person where you provide documentation such as your ID or passport. Once your identity is validated, you then register for an online account.
You start by creating a username. Then you create a password. Stronger password policies require a minimum length with numbers, and special characters so it takes a few iterations before you meet the requirements.
Now that you have your username and password, you enter it into the web or mobile app to login. If you need to perform a step-up authentication at any time, such as a high-value transaction, you usually get an SMS code to type in.
There are times when you need to add another trusted device to your account. You might have a new tablet or you’re logging in from your computer for the first time. You can log in with your password, assuming you remember it.
Now most people don’t remember their password so you’re likely to jump through hoops to reset it. You might get an SMS code, or an email link, sometimes only after you’ve successfully answered knowledge-based questions or go through identity proofing again.
When you’ve proven you are who you say you are, you’re finally able to create a new password and use the app. However, this means you’ve also invalidated devices that you’ve previously logged in with using the old password.
From here on out, whenever you want to add a new device, you get caught in a vicious cycle of identity proofing and password resets. Despite providing a sense of security through SMS codes, one-time password apps, and knowledge-based questions, these layers of friction are applied to protect an experience that is dependent on a factor that was already insecure and frustrating to use.
This is not just a problem for customers. This issue is compounded when adaptive authentication or identity orchestration is used for threat detection that’s focused on the password itself. This doesn’t improve the user experience, it just adds unnecessary complexity to login design, and ignores the underlying password pain.
In short, passwords cause friction at onboarding to account recovery, it’s insecure, and even when you add layers of security centered on passwords, it doesn’t solve the user experience and its vulnerabilities.
So what happens if you deploy passwordless authentication first? Your customer journey becomes a true passwordless experience end to end.
Passwordless eliminates the need to create a password – the least favorite part of onboarding. which now means there’s no password to create and no password to enter.
Instead you have the HYPR app or mobile SDK in your own app for passwordless login. When you want to add a new device you can do so with the app you already have on your smartphone. And when you require step up you can do that with HYPR as well. The friction of Identity Proofing comes in only in extreme cases when the user loses all of their registered devices
As you consider whether you should start passwordless authentication or identity proofing first, keep it mind that by going passwordless first, you enhance your security and ease of use, which benefits your identity proofing in the long run.
By going passwordless first, you create a fast and easy user experience that is modernized and consistent. Which will generally help people avoid account lockout. HYPR also supports step-up authentication, making your entire user experience truly passwordless. What you then have is a consistent user experience across onboarding, login, step up and account recovery.
True Passwordless works alongside your Identity Proofing and Identity products to remove the #1 pain – the password. This reduces the need for threat detection focused on credential reuse because your authentication is now based on trusted factors.
And this ultimately helps you to achieve the highest level of assurance.