Auth & identity
March 11, 2022
Author: Stytch Team
A CyberNews interview with Stytch co-founder Reed McGinley-Stempel
Good password hygiene has always been the top security measure to avoid data breaches. However, with so many websites, e-stores, and social media sites each requiring strong but unique passwords, it becomes hard to remember them.
Having to continuously make up long and difficult-to-guess passwords results in users compromising security for sanity––they are resorting to password reuse, which can lead to countless breaches.
While there are known and convenient solutions that users can adopt, such as password management tools, organizations implementing measures such as passwordless authentication on their platforms could dramatically improve security.
For this reason, we invited Reed McGinley-Stempel, the CEO and Co-Founder of Stytch, a company that specializes in passwordless authentication, to discuss the relevance of authentication methods and cybersecurity issues.
Authentication is a frustrating experience for both developers and users. Julianna Lamb and I recognized the problem and set out to solve it. While working together at Plaid, we witnessed the security and user experience shortcomings of password-based authentication and founded Stytch to create the developer platform for passwordless authentication that enables software teams to easily build experiences that delight their users.
It’s been an incredible journey so far. We believed passwordless adoption was inevitable, but it has accelerated much faster than we honestly expected, with even major organizations like Microsoft moving to a passwordless framework last year. The trend is growing even faster in 2022, and we’re excited to be building the tools that make it easy for developers to quickly and safely adopt passwordless authentication in a way that works for their users.
As the internet has matured, it’s removed numerous points of friction, but authentication continues to pose significant security, privacy, and usability challenges. For many reasons, the old standard of a password and username simply doesn’t cut it anymore. But requiring users to create complex password and username combinations for each service they want to access can be cumbersome and inefficient. It increases user drop-off rates at both sign-up and login, directly contributing to higher customer acquisition costs (CACs) and lower lifetime values of users (LTVs). Our platform enables developers – who normally face tremendous time and effort hurdles in building authentication workflows – to build great applications that provide both safe, secure authentication and great user experiences.
A great user experience and secure authentication are not mutually exclusive. In fact, just the opposite. Friction on the Internet can be eliminated while improving security. 81% of all data breaches online stem from insecure passwords. And the friction of passwords primarily contributes to these security issues – when users are asked to create countless, complex passwords every day, it’s no surprise that users instead choose to reuse the same password that they use on many different sites. This creates a chain of risk when one of those services is breached.
Our customers experience major conversion increases and fewer security risks simultaneously every day. How we do it is by providing a wide variety of passwordless authentication solutions for different business needs. There are many options on the table, including email magic links, SMS one-time passcodes, WebAuthn (TouchID/FaceID and YubiKey support), OAuth, and multifactor flows using a combination of these methods.
We’re building solutions that reimagine user infrastructure, starting with out-of-the-box and customizable passwordless authentication products that are easy for engineering teams to integrate. With our flexible APIs and SDKs, our customers can improve user conversion, retention, and security – all while saving valuable time.
Cybersecurity can seem like a game of whack-a-mole. No sooner do security experts get wise to the latest threats than attackers modify their tactics, discover fresh vulnerabilities, and develop new lines of offense. We’re seeing a rise in all forms of cyberattacks, from malware to phishing and denial of service (DoS) attacks. There’s also a constantly growing arsenal of cybersecurity threats, with others including zero-day exploits, Internet of Things (IoT) attacks, rootkits, and cryptojacking. In the fight against cyberattacks, we’re equipping developers with the latest, strongest passwordless products, from email magic links and SMS one-time passcodes to WebAuthn built-in biometrics and specialized hardware keys.
Password overload is a ballooning issue. Surveys have found that the number of password-protected accounts per user has increased exponentially in recent years, in response to an explosion of new apps and online services. One study found that between 2019 and 2020 alone – with people likely spending more time online due to the COVID-19 pandemic – the number of passwords per user jumped 25%, from an average of 70-80 to 100.
A recent poll also showed that most users don’t take advantage of existing password managers. As a result, 37% forget a password at least once a week, increasing the likelihood they’ll abandon a commercial account or leave a purchase incomplete.
A seemingly logical solution to password vulnerability – mandating more complex and therefore more secure passwords – is not viable. The variety of password requirements proliferating across platforms poses major usability challenges, as Internet users confront byzantine protocols to set and reset convoluted passwords that prompt many to abandon the desired task in the first place.
Moreover, experts argue that despite the oft-noted trade-off between security and usability, other efforts to improve password security are self-defeating. Requiring frequent password changes or preventing paste functionality simply leads people to adopt weaker passwords and repeat them across accounts, threatening a cascade of breaches.
Given the shortcomings of passwords, the shift to passwordless authentication feels inevitable. Still, skeptical companies may be reluctant to abandon authentication solutions they’re familiar with. A common mistake in recent years has been treating alternative authentication methods as second-factor, rather than primary-factor, candidates.
Most companies are unaware that they already have passwordless flows in place, and they’ve needlessly complicated these processes for users. Whenever a customer passes through a site’s password reset protocol, they’re essentially experiencing passwordless authentication.
One of the main problems in moving to passwordless authentication: for developers building out authentication flows, it’s a time-consuming and error-filled process that can involve multiple engineers and many months of maintenance annually. That’s what Stytch’s platform helps them overcome.
Strong encryption for sensitive data at rest and data in motion is always recommended. Additionally, taking advantage of modern vulnerability scanning tools like Snyk is understandably a popular defense mechanism. Overall, embedding security engineering training into all engineering functions regardless of whether they are on the security engineering team is critical to building a culture of security.
We think biometric authentication is poised to see a huge uptick of adoption in the next couple of years. Historically, we’ve only been able to use biometrics with native iOS and Android applications. They haven’t been available in web-based experiences – however, with the introduction of the WebAuthn protocol, that’s finally becoming possible. This provides biometrics their best chance to become ubiquitous. While WebAuthn is really promising, it’s also complex to integrate, which is why we offer it through simple API integration with Stytch.
We have more biometric authentication products coming out soon, and we’re also releasing a number of products in the Web3 authentication space. Web3 authentication has some definite UX shortcomings today, but if those are overcome, there are some really compelling fundamental shifts to how users authenticate in Web3 that we’re quite excited about.
by Kristina Jarusevičiūtė, Cybernews