With the pandemic-driven proliferation of QR codes throughout day-to-day life in Western countries, including in sensitive applications like accessing medical records, cyber threat actors have predictably started to take advantage of the QR code scanning process. A wave of QR-related phishing attacks hit over the summer of 2022, with a good amount of media coverage following each detected instance.
User identities are at risk.
Digital transformation has been in overdrive in recent years with financial institutions rapidly adapting to consumer behavior changes, which have largely shifted from offline to online transactions. Simultaneously, enterprises continue to accelerate migration to the cloud to manage millions of digital identities across complex environments.
This paradigm shift coupled with unprecedented growth in digital activity has seen a corresponding increase in intensity and regularity of identity theft, fraud, and data breaches on a daily basis. Specifically, account takeover (ATO) fraud involving bots, phishing, social engineering, credential stuffing, and brute-force attacks to infiltrate systems to compromise user accounts is on a sharp increase.
No one cares! That’s not true, but essentially no one cares. Bringing up user security in an organization is like walking into a sports bar and talking about statistics. It matters, probably far more than the basic arguments being made in the bar, but does anyone in that bar really want to hear about stats? No. There are, however, large analytics departments in sports just as there are large security departments in companies. I suppose you could sell a security product to a security team, but if your product touches other departments like ours does, they certainly won’t care.
A fully passwordless internet is a foregone conclusion. CTOs, CIOs, developers, and, most importantly, consumers are all aligned in wanting to phase out the clunky password-based authentication paradigm we have today to improve both security and user experience. What’s less clear is what the passwordless future will look like and how we’ll get there. Balancing security against ease of use, while accounting for learning curves, edge cases, and imperfect human behavior, requires a thoughtful approach to implementing innovative login mechanisms. QR login, leveraging biometrics-enabled smartphone apps with a password fallback, is the smoothest and most secure bridge for transitioning users to a fully passwordless experience.
Last week I tried to make a wire transfer. Simple enough, should have taken me two minutes. Needless to say, it didn’t. First, I pulled out my phone and logged into my banking app. It was easy – I entered my username and password once a few years ago and now I login by leveraging FaceID. It takes <1 second. I love it. Unfortunately, my bank’s mobile app doesn’t have great wire transfer functionality so I grabbed my computer to log in on desktop.