Passwords are failing us. Once the backbone of digital security, they’ve become predictable, forgettable, and increasingly vulnerable—especially in the age of artificial intelligence. Hackers can crack them faster than users can remember them, leaving financial institutions exposed and customers at risk.
So, what comes next? In a PaymentsJournal webinar, Dr. Adam Lowe, Chief Product and Innovation Officer at CompoSecure and Arculus, and Tracy Goldberg, Director of Cybersecurity at Javelin Strategy & Research, explored the latest security options for financial institutions. The verdict: software and hardware passkeys are emerging as the strongest defense, offering security, smoother user experiences, and a competitive edge in a digital-first world.
Leaving the Password Behind
Passwords have several inherent problems: they are static, often repeated, and frequently forgotten. Humans have limited and predictable imaginations creating passwords, which makes them vulnerable. Introducing AI into the equation only makes it easier for cybercriminals to crack them, increasing the risk of compromise.
“A password is nothing but a shared secret,” said Lowe. “For anyone that’s ever shared a secret, it doesn’t say secret very long. It’s also a phishable credential. Anytime you give someone information that can be extracted, it’s a security risk.”
Financial institutions have long been reluctant to push customers beyond passwords, but a tipping point has arrived. AI and other advanced tools are now forcing the industry to rethink authentication.
“If we don’t protect consumers from themselves by getting rid of passwords and figuring out stronger ways to authenticate them—and verify their authenticity when they’re logging into accounts—the result is going to be fraud and cybersecurity lapses,” said Goldberg. “That’s going to result in attrition.”
Enter the Passkey
The strongest defense today is the passkey. Users don’t need to know or remember anything to use a passkey. They verify an individual’s identity during login without requiring the consumer to provide sensitive information. The less a user must remember or submit, the lower the risk of their credentials being compromised or socially engineered.
Currently, there are two common types of passkeys. Hardware-bound passkeys are generated and stored on a secure piece of hardware. This could be the same device that allows seamless login or device provisioning, such as a payment card.
Sync passkeys reside on a server in the cloud. These are less secure and are best suited for low- to medium-risk transactions, like checking a balance. For medium- to high-risk situations—such as updating personal information or sending large wire transfers—hardware-bound passkeys are strongly recommended.
The situation is further complicated by infostealers, a stealthy malware that captures browsing data and can compromise sync passkeys. Any information saved in the browser, including cookies and active sessions, can be vulnerable.
“This is why we’ve been talking at Javelin about getting away from anything that requires the individual to be involved in the authentication process at all,” said Goldberg. “Anytime you have the human involved, you’re going to have an element of risk. The more we can remove the human from the equation, the better off we’re going to be.”
The Threat of AI
Cybersecurity is even more important in the AI era, as AI makes phishing attacks easier and more convincing. Criminals can quickly gather personal data from social media and other sources to craft highly targeted emails, phone calls, and text messages.
Passkeys are inherently resistant to phishing because users never see the cryptography that unlocks them. This makes them far more secure than traditional passwords, but criminals continue to evolve their methods.
“If you had asked me two months ago, I probably would have said the AI risk is solely linked to how cybercriminals can use AI to enhance their socially engineered techniques and tactics,” said Goldberg. “But today, in addition to socially engineered attacks, AI is also being used to automate the attacks themselves by manipulating some of the code that’s being used to steal information. Two months from now, I’ll probably say even more.”
The Right Amount of Friction
The good news is that passkeys are now simple to implement. As consumers upgrade to new devices—like the latest iPhones or Pixels—banks need to ensure these devices can be trusted for secure logins. A local passkey, stored on a payment card, can quickly and safely provision the new device. Simply tapping the card on a new device gives users a secure, frictionless way to log in for the first time. The result is a user journey that’s smooth, secure, and low-stress.
When credit cards were first introduced, verification relied on merchants looking up names in a book. Since then, the process has advanced and consumers have learned to tolerate a little friction. FIs that fail to implement step-up authentication for high risk transactions risk losing customers over time.
Nearly half of consumers would close a longstanding bank account because of fraud. As emerging fintech providers compete with traditional financial institutions, the stakes have never been higher. Customers can easily move their accounts if they perceive weak security or experience fraud that could been prevented.
“For FIs considering this in their technology flow, my advice would be to invest in your user and the user experience,” said Lowe. “When you do that and integrate something like passkeys, you’re going to increase wallet share and brand loyalty. Not only is this a great payment experience, but it’s a payment experience that’s keeping me safe.”
“You’re going to make your top-line revenue business people happy, and you’re going to make your fraud organization and your bottom line people very happy as well,” he said. “This is one of the highest ROIs you can do. It’s not a cost—it’s an investment with a massive return on that investment. With just a little bit of UI/UX work and some easy-to-use tech, you can make everyone safer and have meaningful quantitative financial results for your organization.”
[contact-form-7]
The post The Post-Password Era: Rethinking Authentication in Financial Services appeared first on PaymentsJournal.
