What’s holding APAC back from passwordless access? – Part 2

Image created by Microsoft Bing.

Consumers around the world are increasingly frustrated with legacy sign-in methods. This year, there’s been a 15.72% increase in instances where individuals abandoned a purchase or gave up accessing an online service because they forgot their password.

In China, for example, the average person abandoned a purchase or an online service 3.79 times daily, a rise from 2.87 times in 2022, FIDO Alliance’s 2023 Online Authentication Barometer revealed.

Andrew Shikiar, Executive Director and CMO, FIDO Alliance, highlights the burden of remembering complex, frequently changing passwords for numerous apps and websites. “It’s very difficult for consumers to manage passwords, but the real cost comes down to your businesses, to governments, and really to the overall integrity of our networked society. Passwords are the leading cause of data breaches, resulting in direct and reputational costs for businesses associated with breaches,” he said.

Aside from these, the CMO also warned about opportunity costs related to passwords.

“In the past six months, roughly half of consumers have abandoned the purchase because they didn’t know their password. So think about all the money missing from e-commerce providers, other people who wish to sell things online, but can’t because consumers simply cannot sign in to their accounts,” Shikiar continued.

Part one of this report highlighted significant strides in Asia-Pacific to reduce reliance on passwords, as seen in Vietnam, Singapore, and South Korea. 

Part two focuses on the passwordless situation in China, Thailand, Malaysia, ANZ, and India.

Chinese banks leading the way

Henry Chai, CEO of GMRZ Technology, Lenovo, and co-chair of the FIDO China Working Group. Photo courtesy of FIDO Alliance.

In China, the banking industry was the first to adopt FIDO (Fast IDentity Online) technology in 2016. By 2021, over 90 banks in the country have adopted FIDO authentication standards, shared Henry Chai, CEO of GMRZ Technology, Lenovo, and co-chair of the FIDO China Working Group.

Following banking, FIDO deployment has also been observed in the e-commerce, government, education, and healthcare sectors.

“The e-commerce industry is an important application field. With the rapid development of e-commerce, users demand a better shopping experience and enhanced transaction security. With FIDO authentication technology, e-commerce websites can provide users with a more convenient shopping experience while ensuring the security of transactions. Users no longer need to remember complex passwords or worry about password theft; they can authenticate using their existing hardware devices such as mobile phones and tablets, simplifying their shopping,” Chai said.

In the government space, FIDO standards are applied in various areas:

  • Online tax declaration: Some local tax departments use FIDO technology for online declarations, enabling taxpayers to use FIDO certificates for a simplified and efficient process.
  • Digital signature: Various government agencies use FIDO technology for digital signature authentication, enhancing the security and integrity of electronic documents and data.
  • Mobile government services: Certain local governments have integrated FIDO technology into their government services. Citizens can access and manage services such as viewing their social security information and paying utility bills.

As for education and healthcare, FIDO technology helps students in quickly accessing online learning platforms, the same way patients can easily and securely book a medical consultation without worrying about stolen or forgotten passwords, Chai noted.

Despite these developments, FIDO adoption in China is still facing several challenges:

  • User awareness and acceptance: Users might have concerns about the security of passwordless methods and could be hesitant to replace traditional passwords with new technologies.
  • Technology standardisation and compatibility: Passwordless authentication necessitates a unified standard for cross-platform and cross-service compatibility. There are still some differences in the implementation of different FIDO standards, needing further standardisation and coordination.
  • Deployment costs and workload: Implementing passwordless authentication is a step-by-step process, requiring new software or hardware, alongside staff training. This process can divert resources from other tasks or strategic projects, and incurs costs like purchasing devices, tokens, or smart cards.
  • Technical complexity: Passwordless technology — which involves public key cryptography, digital signatures, and other technologies — is more complex than traditional cryptographic authentication methods. This complexity can make deployment, maintenance, and troubleshooting more challenging.
  • Service provider adoption: While FIDO standards are widely used in banking, other industries may need more time to evaluate and adopt this technology. Service providers must consider factors such as user experience, security risks, and costs when selecting authentication methods.
  • Security issues: Despite improved security, passwordless methods aren’t without flaws. For example, loss or theft of a user’s device could expose authentication data. Additionally, attackers may try to forge or intercept authentication data such as dynamic passwords to gain access to the user’s identity information. 

“Overall, the widespread application of passwordless authentication methods requires the joint efforts of users, service providers, and technology developers to address various challenges and promote further development and adoption,” Chai said.

Thailand’s tourism push

Thailand, like its neighbours, is working towards fostering safe and secure digital identities, not only for its citizens, but soon for enterprises and foreigners, as well.

This is particularly urgent because phishing scams continue to persist in the country.

Khanit Patong, Advisor and Chief Information Officer, Thailand Electronic Transactions Development Authority (ETDA). Photo courtesy of FIDO Alliance.

“The bad actor sends a fake application to your mobile device, which then interacts with your mobile banking apps, conducting unauthorised transactions. Many people in Thailand are currently encountering this problem,” shared Khanit Patong, Advisor and Chief Information Officer at the Thailand Electronic Transactions Development Authority (ETDA).

Patong noted that passwords are still prevalent in industries like telco and banking.

“Many companies continue to rely on passwords, supplementing them with another factor, usually an OTP. This approach, combining something you know with something you have, is intended to increase security, but it’s not highly secure,” she said.

The ETDA, unable to mandate industry-wide adoption of more secure authentication standards, is working with regulators like Bank of Thailand for banking and the National Telecom Committee for telecommunications.

However, passwordless adoption, especially for banks in Thailand, have many roadblocks yet to clear, Patong admitted.

“We talked with Bank of Thailand, but we didn’t specify that the authentication technology should be FIDO. However, transitioning the Thai banking sector from traditional methods to FIDO will likely take some time. Mobile banking has been in Thailand for over a decade. This means there’s already a significant investment in the existing mobile banking infrastructure. Switching to a new authentication standard, like FIDO, would require an overhaul of the whole system. Additionally, FIDO’s reliance on cryptographic technology means that mobile devices must be capable of handling such technology,” she explained.

Meanwhile, one of Thailand’s anti-fraud measures is enhancing digital identity security. ThaID, a mobile app designed to streamline access to online government services via fingerprint and/or facial verification, had nearly 6.2 million registered users by August 2023.

NDID, another app developed by the private sector for functions such as opening bank accounts, registered 9.2 million users by August 2023.

Then there is Paotang, an app created by Krungthai Bank, and had 37.3 million registered individuals as of December 2022. According to ETDA’s Khanit Patong, Thais received financial aid during the pandemic through the mobile wallet.

These initiatives are crucial building blocks for 2024, as the country plans to introduce digital IDs for corporations and tourists.

“For the next year, we need to work with the Department of Business Development, or DBD, to potentially build a platform or service enabling corporate transactions using the digital ID. Introducing digital IDs for foreigners could open up numerous services to them, potentially boosting Thailand’s tourism,” the Chief Information Officer noted.

Malaysia bets on passwordless

Chong Seak Sea, CTO, SecureMetric. Photo courtesy of FIDO Alliance.

As an increasingly digital nation with burgeoning local tech companies establishing a presence in the region, Malaysia is optimistic about adopting passwordless solutions to counter cyberthreats, such as phishing and ransomware.

According to Chong Seak Sea, CTO of SecureMetric, a Malaysian passwordless solutions provider, the move towards passwordless is prompted by the high incidence of stolen login credentials, which criminals use to steal money, among other things.

However, he acknowledged that passwordless adoption in the country is still relatively low compared to other APAC neighbours.

“The main reason is that many organisations still rely on legacy systems and applications that were designed with traditional username and password authentication in mind. Integrating passwordless authentication into these systems can be challenging and may require significant updates or replacements,” Sea noted.

The CTO outlined five other challenges to passwordless adoption in Malaysia:

  • System compatibility issues
  • User habits
  • Implementation/deployment cost
  • Security/ trust concerns regarding new technologies
  • Regulatory compliance

One beacon of light, according to Sea, is that the Malaysian government has begun passwordless adoption, particularly focusing on FIDO-based cryptography.

“The National Agency of Cyber Security, Malaysia (NACSA) is the first government-level adoption of FIDO and passwordless technology in the country. Critical National Information Infrastructure (CNII) users will authenticate using FIDO as a security token for authentication and securing the applications and sensitive data,” he said.

ANZ region takes a major security leap

In Australia, over 4,500 new scam cases involving the government services portal myGov have been recorded in 2023, leading to losses of AU$3.1 billion. The Australian government has identified various types of scams, including:

  1. myGov scams
  • myGov text message link scams
  • myGov phishing email scams
  • myGov automated phone call scams
  1. Medicare scams
  • Medicare phishing scams
  • Text message scam for free COVID-19 test kit
  • COVID-19 vaccination reward text message scam
  • Electronic funds transfer email scam
  1. Centrelink scams
  • Centrelink impersonation phone call scams
  1. Other Services Australia scams
  • Fake Services Australia social media profiles
  • Fake disaster relief agencies
  • Fake linkedIn messages

In response, passkeys will be introduced as a more secure means of accessing the government portal, as well as a digital ID that will help simplify user verification.

In New Zealand, Air New Zealand has adopted passkeys as their preferred login method due to its enhanced security. The airline asserts that passkeys will enable travellers to quickly verify their identity, thereby safeguarding their information from unauthorised access.

India’s public sector rallying behind passwordless

In India, the world’s second-largest online market with over 900 million internet users, the government is actively working to update security protocols, particularly for frontline services.

According to FIDO Alliance’s Andrew Shikiar, numerous government agencies and enterprises, including ReBIT, the IT arm of RBI (Reserve Bank of India), have already adopted FIDO security keys for their internal applications.

Andrew Shikiar, Executive Director and CMO, FIDO Alliance. Photo courtesy of FIDO Alliance.

“Moreover, the Controller of Certifying Authorities (CCA), which endorses FIDO as a second-factor authentication method, is committed to promoting robust and user-friendly cybersecurity measures,” he continued.

Within the Government eMarketplace (GeM), which is under the Ministry of Finance, FIDO has also been included as one of the authentication options. This development, Shikiar said, indicates a potential rollout of biometric FIDO2 devices as a secondary authentication factor.

To conclude, Shikiar noted that passwords have existed for over 60 years, and as is the nature of technology, it has to evolve to meet the needs of the current generation.

“Passwords and knowledge-based credentials are a huge threat because they can be phished. Phishing remains the top and most successful attack vector for scalable remote attacks, and that’s only gonna get worse with AI. There are two solutions: One is to attack it with more AI, but moving to FIDO authentication will prevent people from being phished. Even the best-designed AI-generated phishing attacks will not be successful if someone cannot be phished based on the tools they have in their hand, such as FIDO authentication,” he said.