FIDO Alliance study reveals growing demand for password alternatives as AI-fuelled phishing attacks rise in Asia-Pacific

The increased desire for biometrics and awareness of passkeys heightens the imperative on service providers to enable stronger, more user-friendly sign-ins

Summary of key findings in Asia-Pacific (APAC): 

• Password usage without two-factor authentication (2FA) is still dominant across use cases – consumers enter a password manually nearly 4 times a day, or 1,200 times a year
• But when given the option, users want other authentication methods – on average, biometrics is both the preferred method for consumers to log-in and what they believe is most secure, while awareness of passkeys continues to grow
• Online scams are becoming more frequent and more sophisticated, likely fuelled by AI – over half (58%) have seen an increase in suspicious messages and scams, while 56% believe they have become more sophisticated
• The impact of legacy sign-in methods is getting worse – the majority of people are giving up accessing services online (62%) and many are abandoning purchases (45%) because they could not remember their passwords – this is 8% more likely than last year at nearly four times per month per person

Singapore, October 17, 2023 – FIDO Alliance today publishes its third annual Online Authentication Barometer, which gathers insights into the state of online authentication in ten countries across the globe, including Australia, Singapore, Japan, South Korea, India and China in the Asia-Pacific region. New to the Barometer this year, FIDO Alliance has also begun tracking consumer perception of threats and scams online in a bid to understand anticipated threat levels regionally and globally. 

Key findings 

The 2023 Online Authentication Barometer found that despite widespread usage of passwords lingering on, consumers want to use stronger, more user-friendly alternatives. Entering a password manually without any form of additional authentication was the most commonly used authentication method across the use cases tracked in APAC – including accessing financial services (33%), work computers or accounts (39%), streaming services (27%), social media (30%), and smart home devices (19%). Consumers enter a password manually nearly four times a day on average, or around 1,200 times a year. 

This is especially interesting considering biometrics’ rising popularity as an authentication method. When asked what authentication method people consider most secure and the method they most prefer using, biometrics ranked as the favourite in both categories. Notably, Singapore leads this trend, with 35% of people indicating biometrics as the most secure and 41% selecting it as their most preferred method. This suggests that consumers want to use biometrics more but do not currently have the opportunity.

“In Asia-Pacific, we see a growing interest among consumers in adopting more robust authentication methods, with biometrics emerging as a favoured choice. This year’s Barometer data supports this trend by showing that APAC consumers are on par with other regions globally in looking to reduce their reliance on legacy authentication methods. Nonetheless, the persistently high password usage without 2FA is a concern, highlighting how little consumers are offered alternatives like biometrics, resulting in lingering usage,” commented Andrew Shikiar, Executive Director at FIDO Alliance. 

Scams are getting more frequent and more sophisticated – likely fuelled by AI 

This year’s Barometer also unearthed consumer perception of threats and scams online. In APAC, 58% of people have noticed an increase in suspicious messages and scams online, while 56% believe these have become more sophisticated. Consumers in India perceived this change the most, with 75% detecting a rise in scams and 74% sensing their growing sophistication.

Threats are seen to be active across several channels, but primarily email, SMS messages, social media, and fake phone or voicemails. The increased accessibility of generative AI tools is a likely driver of this rise in scams and phishing threats. Tools like FraudGPT and WormGPT, which have been created and shared on the dark web explicitly for use in cybercrime, have made crafting compelling social engineering attacks far simpler, more sophisticated, and easier to do at scale. Deepfake voice and video are also being used to bolster social engineering attacks, tricking people into thinking they are talking to a known trusted person.  

Shikiar added: “Phishing remains the most used and effective tactic by cybercriminals to steal information, making passwords vulnerable no matter how complex they are. With new AI tools that make phishing attacks even more convincing and widespread, it’s crucial for service providers in the Asia-Pacific region to pay attention. Instead of sticking with old and unreliable methods like passwords and one-time codes (OTP), we need to start using stronger and simpler options like passkeys and on-device biometrics.”

Passkeys, which provide secure and convenient passwordless sign-ins to online services, have grown in consumer awareness in APAC despite still being live just over a year, rising from 41% in 2022 to 58% awareness today. The non-phishable authentication method has been publicly backed by many big players in the industry – Google recently announced that passkeys are now available for all its users to move away from passwords and two-step verification, as has Apple, with other brands like PayPal also making these available to consumers in the last twelve months.  

The impact of legacy sign-ins worsens for businesses and consumers 

The negative impact caused by legacy user authentication was also revealed to be getting worse. 62% of people have given up accessing an online service and 45% have abandoned a purchase in the last 60 days, with the frequency of these instances rising year on year to nearly four times per month, per person, up by around 8% from last year. Poor online experiences are ultimately hitting businesses’ bottom lines and causing frustration among consumers. 

Globally, 70% of people have had to reset and recover passwords in the last two months because they’d forgotten them, further highlighting how inconvenient passwords are and their role as a primary barrier to a seamless online user experience. 

About the FIDO Alliance 

The FIDO (Fast IDentity Online) Alliance, www.fidoalliance.org, was formed in July 2012 to address the lack of interoperability among strong authentication technologies, and remedy the problems users face with creating and remembering multiple usernames and passwords. The FIDO Alliance is changing the nature of authentication with standards for simpler, stronger authentication that define an open, scalable, interoperable set of mechanisms that reduce reliance on passwords. FIDO Authentication is stronger, private, and easier to use when authenticating to online services.