AvidXchange, a leading fintech provider of accounts payable and payment automation for midsize companies, has many customers in the nonprofit space. As such, we form strategic partnerships with organizations that work with nonprofits like @Pay, an express payment technology company that makes it easy to pay, give, or buy on a mobile device. For our nonprofit partners and customers out there, here are four reasons from @Pay’s CEO, John Killoran, for using passwordless authentication.
4 Reasons for Nonprofits to Use Passwordless Authentication
Reaching your fundraising goals is hard work. Your nonprofit team dedicates time and passion to campaign planning, marketing and communications, donation solicitation, and donor stewardship, reaching higher every time to make a difference in your beneficiary’s lives.
But all that hard work can be affected in the event of a security breach. There are few better ways to lose the trust and therefore support of your constituents than mishandling their sensitive information.
But don’t worry. Security isn’t all doom and gloom for nonprofits ready to put in the work to protect their donors — and themselves — from malicious attacks. In fact, there’s one easy change that all nonprofits can make quickly and easily that instantly improves their security defenses: passwordless authentication.
Passwordless authentication is what it sounds like: a method of securing information that doesn’t rely on you or your donors remembering a password.
Not convinced? In this post, we’ll discuss the top four reasons why nonprofits should go passwordless sooner rather than later:
- Passwords aren’t as secure as you might think.
- There are many options for password alternatives.
- Passwordless is easier and faster for your donors.
- Your donors prioritize the security of their transactions.
1. Passwords aren’t as secure as you might think.
Let’s cut right to the chase: passwords are in some ways an outdated form of authentication.
“Authentication” in this sense refers to the mechanics by which a website or software solution verifies that a user is who they say they are. Password authentication accomplishes this verification by matching a username with a password that only the user and your servers know.
At least, that’s the idea.
You leave a few significant holes in your security when you decide to secure your website with passwords:
- Weak passwords: Short passwords, commonly used passwords, or passwords that relate directly to the username or the website hosting the account are easy for attackers to guess, and yet users tend to choose these above more secure options.
- Brute force attacks: Malicious attackers can run software programs to try more passwords than manually possible in a short amount of time.
- Dictionary attacks: Attackers can try logging in using automation with dictionaries of the most common passwords and therefore succeed quicker than they could manually.
The central issue is that passwords don’t actually verify that the person logging in is the account holder — they just verify that the person logging in has the right password. Anyone with the right username and password combination can access the account, even if they intend to do harm. This set up opens the door for security breaches.
Passwordless authentication methods, on the other hand, verify a user’s identity in ways that are much harder to fake. What ways might that be? Read on to the next section to find out.
The Takeaway: Even though passwords are a popular form of authentication, they aren’t actually the most secure. Try other options, such as two-factor authentication or biometrics.
2. There are many options for password alternatives.
You now may be sold on the merits of passwordless authentication. But is it feasible for your organization? It’s time to get into the details.
There are many different kinds of password alternatives, each with their own advantages, which makes it easy for you to find one that works for your nonprofit. We’ll summarize three of the most common password alternatives here.
If you want to learn more about any of them, check out @Pay’s in-depth guide to all three — and if your nonprofit could use help deciding on a solution or implementing it, try a nonprofit technology consultant.
Email authentication
Here’s how email authentication works for donations in three simple steps:
- Donors push a “donate” button featuring the gift amount they wish to contribute.
- The donor is directed to a pre-formatted email that includes all the details they need to donate a certain amount.
- The donor sends the email without having to change anything about it.
At no step in the process does the donor have to create a new account for your website or remember a new password just to donate. Instead, their identity is verified by a unique ID included in the email that allows the authentication system to tie the message to the user. Plus, they only have to enter their payment information the first time they give.
Two-factor authentication
This variety of passwordless authentication is highly flexible. In some cases, a password might actually be part of the process. But the reason two-factor authentication is so much more secure is that it verifies a user’s identity using more than one platform instead of just one login screen.
That second platform could be:
- A physical token, like a proximity signal or a piece of hardware.
- A text message sent to the phone number previously attached to the account.
- A third-party app previously downloaded by the user which generates time-sensitive codes.
An attacker would have a much more difficult time gaining access to these second layers of security than just a username and password.
Biometric authentication
While biometric authentication might have been the stuff of science fiction in the past, it’s now a reality! Perhaps the most advanced of these three password alternatives, your donors nevertheless likely already own the necessary hardware.
All you really need is a modern smartphone to implement:
- Fingerprint recognition, through a fingerprint scanner
- Eyeball scanning, through a front-facing camera
- Typing patterns, through a keystroke logger.
Of course, because these biometrics are part of who we are as humans, they cannot be changed. While it’s unlikely that an attacker will force your donor to press their fingerprint against their phone to fill out a donation form, if they do gather this information, they can use it for any biometrically secured account for the remainder of the donor’s life.
The Takeaway: Because there are so many options for passwordless authentication, you’re likely to find a solution that works for you.
3. Passwordless Authentication is easier and faster for your donors.
So you know that passwordless is safer, and you’ve found a solution that you think would work for your nonprofit.
But as we all know, sometimes safer means less convenient. Just think of TSA security lines at the airport or the multiple security questions you have to answer to set up an online banking transfer. It’s easy to lose sight of the reason why the security measures are a good idea when they make you miss your flight home.
Luckily, one of the key features of passwordless authentication is its simplicity and speed!
Take each of the examples from the previous section. While your donors will have to set up some elements of their accounts the first time, they get to skip entering their password each time after that in favor of quicker, more efficient, and safer authentication methods.
One of the most valuable direct effects of the ease and speed of passwordless alternatives is a drop in donor abandonment.
Passwordless encourages your donors to complete the donation process by making it quicker.
Everyone, from developers to consumers, wants payment processing to go faster than ever before. So give your donors what they want.
The Takeaway: To cut down on donor abandonment and make your donors happy, use password alternatives to speed up the donation process.
4. Your donors prioritize the security of their transactions.
The benefit to your donors isn’t just the speed and ease of not having to memorize and type in a password every time they want to donate. In fact, now users are focusing on security in every realm of their lives.
In the nonprofit world, donors want to know that their hard-earned money is going to a good cause and not getting siphoned off by malicious attackers. Otherwise, they would spend it elsewhere.
You can’t just implement passwordless authentication and move on, though.
You have to ensure your donors know why it’s safer and how to use it.
Make sure your donors know that the nonprofit software you use is secure by spreading the word about your passwordless solution in the following ways:
- Create a security information page on your website.
- Include instructions and security information on donation forms.
- Demonstrate your software in action at live fundraising events.
- Spread the word on social media, especially during large campaigns.
- Send flyers and email newsletters explaining your security practices.
- Speak at community meetings and industry events.
Once you demonstrate to your donors that you care about their security and are willing to make changes to that effect, they will trust your organization to steward their funds. And that trust will lead to your donors contributing larger gifts, advocating for your nonprofit to family and friends, and supporting your organization in other meaningful ways.
The Takeaway: You aren’t the only one thinking about security — your donors are too, and they’re using it to decide which nonprofits they trust with their donations. We hope this blog post has been helpful, not just for helping you decide to go passwordless but also for helping you put together a business case to take to the rest of your nonprofit team.