Nearly half (48%) of users say it's "very likely" they would abandon a website when told a new password cannot be the same as their old password, according to research on consumer password resets. Another 21% say it's "somewhat" likely they would abandon the site.
The Beyond Identity study, based on more than 1,000 responses, also found one in four online shoppers were willing to abandon a cart of $100+ if they had to reset their password to check out. On average, researchers found an online cart totaling $162 was the highest amount respondents would be willing to abandon when experiencing password difficulties while shopping.
In other key findings, nearly 50% of respondents reported having to reset their bill-paying account password at least once a year because of login issues. Baby boomers were the generation most likely to use old passwords when resetting account credentials.
"Consumers have a lot of friction with passwords," says Jing Gu, senior product marketing manager at Beyond Identity. "In many instances, consumers are not able to complete the interaction with a product, whether it's transferring money, paying bills, purchasing from gaming sites, or accessing info while traveling. The password is a revenue problem. When customers drop off, you can lose them forever."
The study's results correlate with some highly regarded industry research from the past few years, Gu adds. Gartner has reported that between 20% and 50% of all help desk calls are for password resets. Forrester Research found the average help desk labor cost for a single password reset is about $70.
A Passwordless Future?
Beyond Identity's research inevitably leads to a discussion about passwordless authentication, a technology that prompts a range of responses from security practitioners.
This fall, the company released a new product for business-to-consumer websites that gives site visitors the option to set up passwordless authentication for themselves. It is currently being piloted by businesses across financial technology, travel, and software.
How it works: The tool lets visitors opt in to passwordless authentication by signing up with their username (typically an email address). They are then sent a link; when they click, a public-private key pairing is made and an X.509 certificate gets issued. From then on, when the visitor accesses the site, they can enter their email address and are fully logged on.
"The burden of authentication is taken off the user," Gu says.
Sounds too good to be true, right? Security analysts and researchers are mixed on the new tech. Some are all-in; others aren't so sure.
Frank Dickson, program vice president for security and trust at IDC, is on the more cautious side, though he says the industry has been moving closer to the reduction of passwords.
"The reality is that consumers are making vendor selection choices based on the friction presented," Dickson says. "Companies are weighing technology investment decisions against fraud expenses and lost customer opportunity. Customer e-commerce experiences are becoming a differentiator, clearly. More elegant consumer authentications are not a question of 'if' but 'when.' The 'when' will be a story of evolution rather than revolution."
Jack Poller, a senior analyst with Enterprise Strategy Group, believes more passwordless applications will emerge in 2022, and points out that Microsoft has been driving passwordless authentication by setting it as a default in Windows 11. As more Windows 11 machines emerge, especially around the holidays, this default setting will help more users better understand the new authentication method.
"And then consumers will demand passwordless for their most treasured and important online accounts – banking and shopping," Poller says. "Next, they'll want that same convenience and security for their work accounts."
Some security researchers were a bit more skeptical.
John Bambenek, principal threat hunter at Netenrich, says passwordless authentication holds promise, but in practice, it simply becomes "authenticationless."
"What helps account takeovers is true multifactor authentication and the use of password managers, which can help minimize password resets or enable the ability to detect account takeover," Bambenek says. "While e-commerce sites want to maximize the flow of orders, that priority can’t lead to a security race-to-the-bottom."
Tyler Shields, CMO at JupiterOne, says enterprises need to drive toward creating easy-to-use security experiences that deliver an adequate level of security to the technologies modern consumers demand. A great example of this is the move to single sign-on and passwordless authentication.
"Users have failed to maintain proper passwords for decades," Shields says. "That will never change. So, innovation must build an easy-to-use alternative that provides proper security with a better user experience. Enterprises must find the right balance of technology innovation alongside security for traditional models."