Verified by Visa is Abandoning Passwords. But Is It Too Little, Too Late?

If you poll any group of 100 security professionals, you’d be hard-pressed to find a single one that would defend passwords as a viable and secure authentication tool. From that perspective, it’s not surprising that Visa officially said it will stop using static passwords for its e-commerce Verified By Visa program.

What is surprising is the world’s largest card brand’s timing. The pledge to abandon passwords for just this one program wasn’t to make them disappear by this year’s holiday shopping season. Or for next year’s holiday shopping season. No, Visa’s announced plan was to rid its Verified By Visa world of “password1234” by April 2018. Good to see that this authentication risk is being taken so seriously.

To be fair, changing an authentication technique requires a lot of companies to make system changes. And when you’re as huge as Visa—in the last quarter alone, Visa said it processed 19.8 billion transactions—these things take time. But still, April 2018?

“These types of initiatives are well-intentioned, but poorly executed,” said Sift Science CEO Jason Tan. “The biggest obstacle is themselves, their inertia.”

What will be the de facto standard?

Visa’s far-off password cutoff gives the card brand plenty of time to see which authentication method the industry gravitates towards. Personally, I’d have preferred some more leadership from Visa to point to what it will move to and argue why everyone should follow.

Visa talked about efforts it is supporting to replace static passwords, but was far from explicit as to its preferred final form.

That all said, Visa has come to grips with the e-commerce reality, which is that authentication has to avoid being invasive and interruptive as much as possible. It conceded that today’s password effort can deliver abandoned shopping, saying, “The enrollment process for Verified by Visa-specific static passwords can introduce friction and divert cardholders from the merchant’s website.” It also added that shoppers often forget passwords and that passwords “can give thieves a way to register a password on a cardholder’s behalf.”

Visa is now embracing the data-intensive approaches that are growing popular today, where sites leverage the vast oceans of data that consumers—especially those using a mobile device—bring along during every shopping trip. This, Visa said, will “also enable an improved experience for consumers by providing issuers with more data—data that can be used in the decision process so that legitimate transactions are not declined. [The new Visa approach] will also give merchants the capability to better integrate authentication into their checkout processes for a more seamless consumer shopping experience.”

Sift Science’s Tan agrees that a data-based approach is better. Many of today’s e-commerce authentication methods introduce “a lot of unnecessary friction. The grand promise of the machine-learning system is that we can put a lot of data to work,” he said.

“Don’t ask for the credentials upfront. Quietly check in the background,” Tan explained, adding that “putting the onus on the customer” is a terrible idea when analytics can make a much more accurate assessment on its own. If the software sees conflicting data points, credentials can always be sought later—but only for the few cases where it’s needed.

IoT Complexity

Visa also touched on the Internet-of-Things movement, referencing “new device types such as connected cars and refrigerators.” Such transactions will initially push the purchase/tender part of the transactions to a nearby mobile device, where it will be treated as any other mobile transaction.

Apple’s CarPlay, for example, already integrates a large number of mobile functions into a car’s dashboard. With that work done, allowing ApplePay to pay for transactions will be a lot easier, whether it’s instantly purchasing a song that just played through Pandora or Spotify, or paying for gas or a meal at a rest stop.

Eventually, though, IoT devices will sport screens just large enough to make their own transactions. Turn the thermostat up a few times and an ad may pop up for sweaters or a space heater. Nowhere will ease and speed of transaction be more essential than making a purchase from a refrigerator, thermostat or a watch.

Purchases are quickly moving from in-store to online and eventually to IoT – and all of that is being overwhelmingly fueled by speed and convenience. Why would a merchant ever want to make the customer interaction any more slow and arduous than it absolutely needs to be?