B2C Authentication is Broken: Here's Why

Current B2C (Business-to-Consumer) authentication solutions do not address the most prominent security issue: In most cases the attacker is in possession of the correct password – no matter how complex it is. While the security industry is preaching MFA as the solution, both B2C companies and consumers dislike MFA for different reasons.

In our founder team, we have witnessed this pain on both sides. Of course, most people will say that we believe passkeys are the best authentication method because we started a passkey-first authentication company. However, we are not obsessed with passkeys. We are obsessed with the solution: protecting customers and making the internet safer.

For decades, there was no approach to bringing everything together. With passkeys, there is now a chance to fix B2C auth. Read the short version of why we think that especially B2C authentication is broken, and jump into the details further below:

We are aware that the passkey ecosystem is new and there is also substantial critique to the state of implementation, which we have explicitly addressed already hoping that it will help others.

This article aims to explain why a change in thinking about B2C authentication is overdue:

Let’s be honest and come straight to the point: Hundreds of billions of consumer accounts worldwide are at risk (it’s not a typo, we mean BILLIONS). Sources report that 20-50 billion user credentials are available in the dark web. Even though a gigantic industry around protecting consumer identities and thousands of authentication solutions exist, the number of account take-overs (ATOs) and account breaches is increasing:

Taken from: https://www.security.org/digital-safety/account-takeover-annual-report/

Something is not right. There are a lot of recommendations for B2C companies, software developers and consumers on how to choose a secure password, how to implement authentication protocols correctly or how to promote MFA usage. However, nothing really changes.

While there is elaborated effort put into providing technically secure solutions, the hidden truth is that the underlying assumptions of how users of B2C products authenticate online are simply wrong:

• Users should use unique, strong passwords: They do not.

• Users should not re-use passwords: They do it all the time.

• Users should use password managers: They do not.

• Users should not save passwords in the browser: They do it all the time.

• Users should activate MFA wherever possible: They do not.

• Users should not choose SMS OTPs as MFA option as it’s not secure: They do it all the time.

• Users should always check if they enter passwords on the correct URL: They do not.

• Users should not share their credentials with anybody else: They do it all the time.

In case you are in doubt, just ask your significant other (or close friends) who do not work in tech how they manage their passwords for their personal accounts.

The reality is that everyone working for a larger B2C company, or any site large enough to be a target for a data breach, knows that the statements above are 100% true.

Users understand the rules, but they ignore them. Despite their understanding, users frequently fail to adhere to these practices:

Taken from: https://services.google.com/fh/files/blogs/google_security_infographic.pdf

Here’s a real-world example we have witnessed (I bet you will not believe this):

1. Data Breach Was Detected: In our founder team, in prior roles, we have been involved in the development and maintenance of authentication solutions where a detection for breached accounts was implemented (via risk detection and leaked password matching).

2. System Conducted Password Reset: When a specific breach was detected and stopped, the password was then systematically reset for the user, with an appropriate message instructing them to set a new password via the password reset process.

3. Enforce New Password: Using the breached password again was prohibited during the initial password reset process, with an explanation provided for why this is the case.

4. User Sets Old, Breached Password Again: Once a new password was set, the password history was reset to minimize the storage personal data in the database. What we encountered repeatedly after the same users were nearly breached was that users would discover they could set their leaked password again in a second change after the first change. Some of them would even go through this process multiple times.

This example shows: B2C authentication is different. The company behind an app, website or online service needs to fully own the responsibility to protect user data even if consumers are negligent.

The B2C segment is the weakest link when it comes to the security of user accounts and account takeovers. This is driven by two major aspects:

1. Vast size of B2C auth market: The vast majority of all existing user accounts in the world are B2C accounts. Today, there are about 5.3 billion internet users and about 100 accounts per user, resulting in over 500 billion user accounts in the world. Most of these accounts are created for small-medium sized B2C products and services. These run smaller systems that lack sophisticated protection mechanisms.

2. B2C accounts have the lowest security posture: From all kinds of user accounts in the world, B2C user accounts are least protected. Below you find a comparison of the most important authentication segments and how they differ. The red area indicates which factors contribute to low account security.

Overview B2C authentication challenges

Most of the time, B2C businesses depend on their customers to log in to generate revenue (with a much lower customer lifetime value than in B2B). Often, the creation of the user account is seen as a barrier. Therefore, B2C accounts can very often be created with simple passwords and intentionally do not require further protection to minimize friction for users.

Today, the most common authentication method for B2C accounts via email and password, is Single-Factor Authentication.

To provide user convenience while keeping security levels high, the requirement to have unique passwords with a certain complexity is seen as the solution, but it is not as we will see in the next section.

The harsh reality is that complex and unique passwords, though ideal in theory, fall short in practice for several reasons:

• Users Hate Complex Passwords: Creating truly unique or complex passwords for each account is a nightmare. Users often have to enter these passwords across multiple devices which is a cumbersome process prone to errors. Especially without password managers, this is not feasible in practice.

• Passwords Follow Predictable Patterns: Despite recommendations, the overwhelming majority of users resort to modifying a core set of passwords by adding numbers or special characters in predictable patterns. This means that even ‘unique’ or ‘complex’ passwords are often just slight variations of common ones. Tools for breaking password hashes have long known this, providing custom rulesets for the most common appending or prepending cases.

• Saving Passwords in the Browser is Vulnerable: A large portion of consumers save their passwords directly in their browsers without adequate cryptographic security. Only recently have some browsers started implementing more robust security features for password storage, but the majority of users are still at risk to Infostealer attacks. Only recently it seems Snowflake and therefore some of their customers where breached by simply one leaked account.

• Passwords are Known to the Attacker: The most probable attack vector is that the attacker has a narrow list of possible passwords that the user has reused, or the attacker has actually stolen the correct password via phishing or malware (like in the Snowflake case).

In essence, passwords have a fundamental flaw – they are inherently leaky and they can be phished easily. Even with unique and complex passwords, the pervasive issue of data breaches and human error in password management render them inadequate as a sole security measure.

The next leap of hope is to encourage consumers to use password managers. Let’s look at that.

All modern password managers warn their users if they detect a compromised password:

Compromised Password iCloud Keychain Password Checkup Google Password Manager

The problem is: most users ignore these warnings.

The existence of those dialogs proves that weak or reused passwords are still a problem, even with password managers. Why is that?

• Users Reuse and Store Weak, Compromised Passwords: Despite the availability of password managers and their feature to come up with complex, unique passwords, a significant number of users (up to 60%) continue to reuse passwords across multiple sites​ (DataReportal – Global Digital Insights)​. Even when they use password managers, many users simply store passwords they have already created instead of generating strong, unique passwords as suggested by the password manager.

• Password Managers Have a Low Adoption: The adoption rate of password managers is still relatively low, with only about 22% of internet users using them regularly​ (ITU)​. This means the majority of users remain vulnerable due to poor password practices.

• Password Managers are Not Installed on All User Devices: Even the most secure password managers can't cover all scenarios. For example, if a user has to enter a password on a different device where the password manager is not installed, they may resort to change their strong, password-manager-generated password to a weaker one or start sharing the password in plain-text between devices.

• Password Manager Don’t Prevent Social Engineering: Over 74% of all breaches include a human element. Despite the obvious benefits, password managers are not a foolproof solution. Social engineering attacks remain a significant threat, where attackers trick users into revealing their passwords voluntarily on phishing sites. Even the most secure password manager can't protect against a well-executed phishing scheme. In the age of artificial intelligence, phishing has seen a significant uptake in sophistication. Moreover, there is also a thriving community around phishing-related open-source tools (e.g. gophish) that could be used maliciously.

We want to be clear: when used correctly by a tech-savvy person who does not fall for obvious phishing attacks, detects social engineering attacks, and can keep their computer clear of malware, password managers are indeed a very secure solution, offering truly unique and complex passwords.

But what about the average Joe? MFA might be a solution, as it could prevent the majority of breaches. Let’s see why this does not help as well.

Despite being one of the most recommended methods to enhance account security, MFA is widely disliked by users. This aversion stems from several key reasons:

• MFA is Inconvenient and Causes Friction: The primary reason users dislike MFA is the additional steps required to log in. According to a survey by Duo Security, 56% of users find MFA cumbersome and annoying. The process of receiving an OTP via SMS or using an authenticator app is seen as an unnecessary hurdle, especially when users are accustomed to quick and seamless access to their accounts.

MFA Request at Amazon

• No one Voluntarily Adopts MFA in B2C Apps: Despite its importance, the adoption rate of MFA in B2C scenarios remains low. Google reports that only around 10% of active Gmail accounts use MFA, a figure echoed by other major B2C companies (we have seen numbers even below 5%). The low adoption rate is often attributed to the extra effort required to set up and maintain MFA, which many users are unwilling to undertake.

• Users are Lazy and Stay Logged In: Users prefer to stay logged in to their accounts for extended periods, minimizing the need to repeatedly authenticate themselves. For instance, a study by Security.org found that 75% of users opt to stay logged in on their devices whenever possible, demonstrating a clear preference for convenience over security.

MFA Request at PayPal

• MFA Poses Technical Challenges: MFA can sometimes fail due to technical glitches, further frustrating users. For example, SMS OTPs may not be delivered promptly due to network issues, email OTPs may never be received (or end up in spam folders) and authenticator apps may malfunction (by the way have you ever tried to recover TOTP codes if you lost your device?). Such problems can lock users out of their accounts, making them reluctant to use MFA.

• MFA is Not 100% Secure: There is also a common misconception that MFA provides foolproof security. However, while it significantly enhances security, it is not infallible. Sophisticated phishing attacks can bypass MFA, leading to a false sense of security among users. This has been repeatedly proven, e.g. by recent attacks on Okta customers. In fact, phishing attacks are successfully carried out on the most common MFA methods in B2C (namely TOTP via authenticator apps and SMS OTPs), as both are not phishing-resistant and attackers can request these factors on fake websites.

Taken from https://www.okta.com/blog/2022/10/the-need-for-phishing-resistant-multi-factor-authentication/

If users don’t like it but it could be a necessity, why are B2C companies not forcing users to use MFA for the sake of better security?

Enhanced security through MFA causes significant financial burdens for businesses. These burdens come in the form of direct MFA costs, recovery challenges, and the friction that impacts user experience and revenue.

• Direct Costs – SMS & TOTP MFA Can Cause Millions: While SMS OTPs are a favored choice for MFA due to their user-friendly nature, it incurs considerable costs (90% of consumers choose SMS OTP over any other MFA method). In some regions, such as Europe or Australia, the cost of sending an SMS can be markedly high compared to the United States. For example, a European company with one million monthly active users (MAU) and overall 1.5 million logins per month could see costs of over 1 million USD solely for authentication-related SMS OTP. This cost is a substantial operational expense, particularly for services requiring international SMS capabilities where fees can be even higher.

Source: Twilio

For the calculation above, we assumed 1.5 logins per month per active user and 1 million monthly active users (MAUs). Of course, this varies, and with the “remember this device” functionality, parts of these costs can be reduced. Even accounting for that and reducing costs by 50% still leave a substantial cost.

• Operational Costs – MFA Recovery is an Expensive Process: The MFA recovery process introduces significant operational challenges and costs. For instance, consumers frequently fail to update their MFA settings after changing their smartphone or phone number, leading to account lockouts. Addressing these issues often requires a manual, time-consuming process that not only escalates support costs but also results in user frustration and service abandonment. The labor costs for manual recovery are considerable, with industry averages suggesting that each recovery process can cost upwards of $30 to $70 per incident, significantly affecting operational budgets.

• Indirect Costs – MFA Friction Drops Conversion & Revenue: The indirect costs associated with MFA are largely due to user resistance to additional authentication steps, which can deter users from completing transactions or fully engaging with services. This friction can directly impact conversion rates and, consequently, revenue. Studies show that even a minor increase in friction can reduce conversion rates by up to 5%, representing a direct hit to the bottom line. Balancing the need for security with user experience is crucial, as excessive security measures can lead to diminished returns and potential revenue losses (TeleSign).

With the direct, operational, and indirect costs associated with MFA posing significant challenges for businesses, it becomes imperative to ask: What are the more effective, user-friendly, and cost-efficient security alternatives that could replace or augment traditional MFA methods? To also minimize the impact on users while still protecting from account takeovers, step-up and risk-based authentication (RBA) is often the only viable solution that B2C companies see.

In the quest to enhance security without overly burdening users, many B2C companies have turned to step-up and risk-based authentication (RBA). These methods aim to apply additional security measures only when a login attempt appears suspicious.

Google Risk-Based Authentication I Google Risk-Based Authentication II

The screenshots above provide examples of risk-based authentication where Google asks for more information after a successful password login has already occurred. This happens when the device is unknown, or a critical action is about to take place.

The most important signals for step-up and risk-based authentication are:

• New device (based on browsers and operating systems)
• New location (based on IP addresses)
• Rate-limits per IP (based on successful or unsuccessful logins)

There are also much more complicated factors, such as behavioral detections, that facilitate identifying bots using a virtual Chrome instance by analyzing mouse movements and click speeds.

However, there are a lot of things to consider when applying step-up or risk-based authentication:

• UX Could Be Degraded: Step-up and risk-based authentication introduces varying levels of friction based on perceived risk, leading to an inconsistent and often frustrating user experience. Users may find themselves unexpectedly prompted for additional (and unknown) verification steps at inconvenient times, causing confusion and annoyance. This could be for example an unexpected SMS OTP to an old or inaccessible phone number during a vacation at a new location (the time where you want these inconveniences the least). This inconsistency can erode user trust in the service, causing them to think their data might not be safe, and lead to user dissatisfaction, ultimately driving users away from the B2C product / service.

• False Positives and False Negatives Are Inherent: Risk-based systems rely on algorithms to assess the threat level of each login attempt. However, these algorithms are not perfect and can produce false positives, where legitimate users are subject to unnecessary security measures, and false negatives, where actual threats are not adequately mitigated. This undermines the effectiveness of the system and can result in both poor security outcomes and degraded user experience. For example, using rate limits to detect IP addresses for credential stuffing seems straightforward, but on the other hand, huge companies often share a small number of IP addresses for their employees, needing different limits than private consumer IP addresses. Also, logins from Tor/Proxy/VPN IPs are treated as high-risk events as they can be used to conceal the attacker's IP, but with Apple pushing their “hide my IP” features, this needs to be rethought.

• Vulnerability to Cyber Attacks Remains: Despite their advanced nature, step-up and risk-based authentication systems are not immune to sophisticated cyber attacks. Attackers can employ techniques such as session hijacking, man-in-the-middle attacks, or just use phishing schemes to circumvent these protections. By exploiting these vulnerabilities, they can still gain unauthorized access, demonstrating that these methods are not the ultimate solution to account security although increasing protection significantly.

• Privacy Concerns Are Legitimate: To accurately assess risks, these authentication solutions often rely on collecting extensive data about user behavior, device fingerprints, and location information. This level of data collection raises significant privacy concerns among users, who may be uncomfortable with the amount of personal information being gathered and analyzed. These concerns can further deter users from embracing the B2C product / service, especially in an era where data privacy is increasingly prioritized by consumers and regulators alike.

• High Implementation and Operational Costs: Implementing and maintaining step-up and risk-based authentication solutions require significant resources. These solutions need constant tuning, monitoring, and updating to respond to evolving threats. The cost of these ongoing efforts can be prohibitive, especially for smaller B2C businesses. Additionally, the complexity of these solutions can lead to increased support costs, as users encounter issues and require assistance.

These aspects highlight the limitations and challenges associated with step-up and risk-based authentication in B2C contexts, emphasizing the need for more user-friendly and effective authentication solutions.

As mentioned in the intro: we are a passkey-first authentication provider, but we are not obsessed with passkeys themselves. We want to craft a solution to a problem we have observed in B2C authentication over the past 15 years in our previous roles. Our goal is to protect consumer accounts effectively, making security seamless and user-friendly.

We have lived through all the steps above. We have implemented password complexity requirements, risk-based MFA, and we have been trying to opt-in consumers into full MFA for years and were constraint by the forces described above.

Internally at Corbado, we use YubiKeys wherever possible, but we also know YubiKeys are nothing for consumers. However, the same security benefits of YubiKeys can be achieved with everyday smartphones, laptops, and desktops via their integrated hardware security modules (TEE on Android, Secure Enclave on macOS / iOS, and TPMs on Windows). Passkeys are built on these hardware security modules, presenting a remarkable opportunity. We know that change can’t happen overnight and currently things might be a bit rough, but the opportunity is not to be neglected. This is also acknowledged by industry thought leaders like Cole Grolmus. Initially, he was a bit disappointed with the low passkey adoption and that passwords will be around for a while, but he now believes that passkeys will have the biggest impact on his career in cyber security, as they will have a large and transformative difference to so many people:

Passkeys are a revolutionary step in MFA. They uniquely combine security with ease of use and improved user experience, all while significantly reducing the costs associated with traditional MFA methods that consumers prefer.

This combination makes passkeys an attractive choice for consumers who understand and appreciate the benefits they offer.

Once consumers have tried passkeys and understand them, there is no going back: consumers will demand passkeys.

In the following, you can see how passkeys alleviate the most important disadvantages in today’s B2C authentication:

However, integrating passkeys into widespread use is not without challenges. These complexities require careful navigation – and we share all the knowledge we have in our blog as much as we can.

Despite these implementation hurdles, we believe passkeys have the potential to transform the landscape of B2C authentication fundamentally and provide the base for future security. By simplifying the authentication process without compromising security, passkeys will become the preferred method for securing consumer accounts in the next years.

While we developers love to discuss techniques connecting software with authentication and their security benefits and construct sophisticated attacker models in the corresponding RFCs (e.g., OAuth or WebAuthn) focusing on high-end attack vectors, the true responsibility lies in building a system where the user is no longer the weakest link. Every company has a responsibility to protect the data their users entrust to them, which entails considering the human factor and acknowledging that the behavior of the average consumer includes being lazy and taking the path of least resistance.

Let’s make the internet a safer place together.