Disclaimer - Any views or opinions presented in this blog post are solely those of the author and do not necessarily represent those of Badge Inc. Badge does not endorse single-factor authentication in any form and suggests the use of multifactor authentication.
We're all familiar with two-factor authentication (2FA). The authentication approach has been widely adopted by companies and organizations for which we regularly engage as consumers. The purpose of the security measure is to require users to provide two authentication factors (what you have, what you are, what you know) to verify their identity when logging into an online service. Usually, this involves entering a password and a code sent to the user's phone via text message or an app. The purpose of 2FA is to combat fraud attributed to compromised usernames and passwords which are readily available for purchase on the dark web.
However, 2FA also has some drawbacks and limitations that I am sure you can relate to. One of the main problems with 2FA, today, is that you lose access to pretty much everything when your phone dies. It's the same experience if you move to a new or shared device. This can be frustrating and time-consuming, especially if you have no device access. Often, we are required to go through a lengthy and complex recovery process.
If you've ever tried to transfer money or login to an application to perform a specific task (like returning an Amazon package at Kohls but your phone dies and you can't login to someone else's phone because your 2FA is on and the security code is being sent to your dead phone -super helpful!) You get the point. This problem not only impacts user experience, it bottlenecks commerce and is lost revenue to organizations.
The main reason for this is because most 2FA methods rely on a device or a token as the trust anchor, which means that the user needs to have that device or token with them at all times to receive or generate the verification codes. This adds friction to the user experience, costs to the organization, and creates an entry point for fraud.
That's the paradigm of old. And it has influenced device-based authentication practices and standards like FIDO (Fast Identity Online) for years. Of course, who doesn't want to sell you a $1,000 pocket PC every couple of years? I digress. Now close your eyes. (Read this first, then close your eyes.) Remember the old days, when your life didn't abruptly stop when your phone died? Remember when you could still hail a ride, verify your identity and make transactions all without your phone? Give us that -- the best of both worlds, please.
Picture this new identity paradigm -- the one promised to us by decentralized and self-sovereign identity enthusiasts -- a world that enables the freedom of the old days with the modern convenience of today's digital commerce. What if I could pay with my face and hail a taxi by making a unique hand gesture at a kiosk? What if I could still maintain 2FA even when my phone dies? Now we're cooking.
That world would involve a monumental shift, yet one that would be non-disruptive to the consumer. That shift would involve moving the trust-anchor for digital identities to the human instead of a manifestation of PII within a disposable piece of hardware.
Simply, it would make people their own roots of trust, rather than their device or token. This means that the user can authenticate themselves using biometric factors, such as their fingerprint, face, voice, or iris, which are unique and inherent to them. Biometric factors can be combined with other factors, such as passwords or PINs, to create a strong and convenient 2FA method that does not depend on a device or token. With biometric 2FA, users can move freely across devices and platforms without losing access to their accounts or compromising their security.