The technology and security headlines of 2017 foreshadow big changes on the horizon in the world of identity and access.

Rumors of the death of the password may have been exaggerated in the past, but major data breaches have removed any doubt that our email addresses, passwords and personal information, including Social Security numbers, are no longer sufficient to protect our identities online. At the same time, options for using more unique data, such as biometrics, for authentication are gaining popularity, with fingerprint scans already pervasive on personal devices and facial recognition moving into the mainstream with the latest smartphone models.

But while these new authentication methods are certainly picking up steam, the path to a completely passwordless world will be a long journey and, ultimately, users will lead the way.

Preparing for a New Era of Authentication

As we reach this crucial turning point in the authentication landscape, IBM commissioned a broad consumer study to better understand global and generational consumer preferences around biometrics, passwords and multifactor authentication.

IBM Security’s new “Future of Identity Study,” released today, surveyed nearly 4,000 adults around the globe. Below are some of the top findings.

  • Security is beginning to outweigh convenience. People ranked security as the highest priority, over convenience and privacy, for logging in to the majority of applications, particularly when it comes to money-related apps.
  • Biometrics are becoming mainstream. Sixty-seven percent of respondents are comfortable using biometric authentication today, while 87 percent say they’ll be comfortable with these technologies in the near future.
  • Millennials are moving beyond passwords. While 75 percent of millennials (respondents between the ages of 20 and 36) are comfortable using biometrics today, less than half are using complex passwords and 41 percent reuse passwords to access numerous accounts. Older generations showed more care with password creation, but were less inclined to adopt biometrics and multifactor authentication.

Taking a closer look at these trends, the future of identity may be closer than we think.

Read the complete IBM Study: The Future of Identity

Millennials Accelerating the End of the Password Era

Generational differences that emerged from the survey results showed that younger adults are putting less care into traditional password hygiene but are more likely to layer access with multifactor authentication, use biometrics for speed and convenience, and use password managers to secure their accounts. This could be an indication that younger generations have less confidence in passwords to begin with, thus looking to alternative methods to secure their accounts.

With millennials quickly becoming the largest generation in today’s workforce, according to a study by ManpowerGroup, these trends may impact how employers, service providers and technology companies provide access to devices and applications in the near future. Below are some additional findings on generational authentication trends.

  • Only 42 percent of millennials use complex passwords that combine special characters, numbers and letters (versus 49 percent of respondents who are 55 and older), and 41 percent reuse the same password multiple times (versus 31 percent of those aged 55+).
  • On average, people 55+ use 12 passwords, while Generation Z (ages 18 to 20) averages only five passwords. This could indicate a heavier reuse rate across a growing number of accounts.
  • Millennials are two times more likely to use a password manager (34 percent) than people over the age of 55 (17 percent).
  • Millennials are more likely to enable two-factor authentication in the wake of a breach (32 percent versus 28 percent of the general population). They are also more likely to delete an account held by a breached service providers and move to a competing one.
  • Seventy-five percent of millennials were comfortable using biometrics today, compared to 58 percent of those over age 55.

Security Trumps Convenience, Especially for Money-Related Apps

While conventional wisdom may hold that consumers value speed over all else, the survey found that consumers ranked security as a higher preference than privacy or convenience for the majority of applications, particularly for money-related applications.

The one exception to this was social media apps, where convenience took a slight edge over security, revealing a potential blind spot when it comes to protecting personal data stored on those apps.

Figure 1: Users’ top priorities when logging into various applications

Preparing for the Future of Identity

How can organizations adapt to shifting user preferences? Companies should adapt by taking advantage of flexible identity platforms that provide users with choices between multiple authentication options — for example, letting users toggle between a mobile push notification that invokes fingerprint readers on their phone and a one-time passcode.

Organizations can also balance demands for security and convenience by incorporating risk-based approaches into their access schemes. When risk levels rise, additional authentication checkpoints can be triggered, such as when behavioral cues or connection attributions, such as device, location or IP address, signal potentially abnormal activity.

Leveraging data from the survey can also help reshape security processes for an evolving workforce. As millennial and Generation Z employees begin to dominate the workforce, organizations and businesses can adapt to younger generations’ proclivity for new technology by allowing for increased use of mobile devices as the primary authentication factor and integrating approaches that favor biometric methods or tokens in place of passwords. As always, users should follow best practices for securing their digital identities.

For additional details on the study and advice to help companies prepare for the future of authentication, download the full report.

Read the complete IBM Study on The Future of Identity

More from Identity & Access

Another category? Why we need ITDR

5 min read - Technologists are understandably suffering from category fatigue. This fatigue can be more pronounced within security than in any other sub-sector of IT. Do the use cases and risks of today warrant identity threat detection and response (ITDR)? To address this question, we work backwards from the vulnerabilities, threats, misconfigurations and attacks that IDTR specializes in providing visibility into. As identity threat detection and response (ITDR) technology evolves, one of the most common queries we get is: “Why do we need…

Access control is going mobile — Is this the way forward?

2 min read - Last year, the highest volume of cyberattacks (30%) started in the same way: a cyber criminal using valid credentials to gain access. Even more concerning, the X-Force Threat Intelligence Index 2024 found that this method of attack increased by 71% from 2022. Researchers also discovered a 266% increase in infostealers to obtain credentials to use in an attack. Family members of privileged users are also sometimes victims.“These shifts suggest that threat actors have revalued credentials as a reliable and preferred…

Passwords, passkeys and familiarity bias

5 min read - As passkey (passwordless authentication) adoption proceeds, misconceptions abound. There appears to be a widespread impression that passkeys may be more convenient and less secure than passwords. The reality is that they are both more secure and more convenient — possibly a first in cybersecurity.Most of us could be forgiven for not realizing passwordless authentication is more secure than passwords. Thinking back to the first couple of use cases I was exposed to — a phone operating system (OS) and a…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today