If you think people have too many passwords, you're right. The 2012 Online Registration and Password study, conducted by Harris Interactive, found that 58% of online adults have five or more unique passwords for varied logins - and 30% have more than 10 unique passwords they need to remember. How annoying is that? The survey also found that 38% of people would rather fold laundry and scrub toilets than come up with new passwords.
"The security value of a password is limited, if not negligible, because many people are interested in convenience. You will reuse the same password in many places......we need to transition away from the way we've been doing things since the 1960s," says Al Pascual, a security, risk and fraud analyst for Javelin Strategy & Research.
Analysts say web crooks have ample malware that can intercept passwords for identity theft, and that's before the consideration that most people use the same password for different logins, which expands the security risk.
"The problem with passwords is they are easy to steal. If you have a strong password, or have 100 characters, it's still easy to steal these days," says George Tubin, a senior security strategist at Trusteer.
Tubin suggests one way to combat the threat is to use the smartphone as an authentication device, in combination with other devices such as the PC. "There's not one single silver bullet. If you are coming in via the PC, you can authenticate to the site via the phone, and perhaps link biometrics into the mobile device. You can link voice biometrics or face biometrics...it's in the baby stages right now."
Even though many password programs include "grading" that tells the user how "strong" the password is, consumers tend toward unintended vulnerability. "The user wishes to have an easily used and remembered credential; they would use 1234 as a password if they had the option to do so. The user's incentive is the opposite of the security incentive. The security team would rather have a 16-digit random password," says Andy Rolfe, chief technology officer at Authentify.
Rolfe says the way to move beyond passwords, which are pretty well established in our culture, is through a step-up approach. "What I mean is we take the username and password as it is today and move to a second factor, or a step-up authentication for certain high risks and high-value transactions," he says, adding these "step ups" - which can include mobile apps accessed by biometrics - gradually become the primary method of authentication. Biometrics, or as some call it, bring your own ID, is a key component to strong authentication.
The technology does pose challenges. Biometrics can't be used by everyone. "You have certain segments of the population that may not be able to use biometrics. They may not be able to speak or may not take a proper photo [the right resolution for facial recognition] or may have a minimal fingerprint. There may also be restrictions by policy or regulations as to what you can use in terms of biometrics. That's where multi-factor is quite important."
ING FIGHTS PASSWORD CREEP
In 1999, around the time that everyone was chasing Y2K - a problem that really wasn't a problem - ING Direct Canada was working on a real issue: password creep.
"When we launched our transaction site, we said there has to be a better way than passwords," says Charaka Kithulegoda, senior vice president and chief information officer of ING Direct Canada.
The idea was the bank would develop a biometric mouse that would light up when the user entered his or her client number. The mouse would read the person's fingerprint to confirm the customer's identity. "The pilot worked, and the technology worked. But what we realized was we were ahead of our time," says Kithulegoda. The technology was expensive, and there were hardware compatibility issues, so eventually the project was dropped.
For years, companies have wanted to use something besides usernames and passwords to authenticate users. The idea that entering your first name, a period, your last name, and a series of letters and numbers is a stable, reliable way to protect identity in an age in which people have numerous relationships that rely on web-enabled connections, has been tottering on the edge of validity for a long time.
ING Direct Canada is now building new identification methods for an industry that's changed a lot in the past decade. Account aggregation, mobile apps, social networking and alternative payments are all maturing quickly, as are security threats. Millions of new strains of malware are created each year, placing mobile and online bank accounts at risk.
ING Direct Canada believes the supporting systems and bank customers are more ready for biometrics than they were 12 years ago. "With the proliferation of mobile and the consumerization of IT, the stigma of biometrics has faded, and the technology has come a long way," Kithulegoda says. "With mobile, most devices have a very high definition camera that's in the device. You don't need a special device anymore for biometric authentication."