The world is full of ideas and inventions that seemed like a good idea at the time. Only later we discover that they were actually very bad ones. Tobacco was a very popular trend back in the day – until we discovered that it causes lung cancer and plenty of other problems. 100 or so years ago it wasn’t uncommon to placate your child with a drug that included heroin. In the early era of computers someone had to come up with a way to keep things secret on a shared computer. Therefore, the password was born – something only you (are supposed to) know. Now is the time when the password must go the way of the dodo – extinct!
If you are in any way involved with the internet, your password has been compromised at least once. The wide ranging data breaches of the likes of Yahoo, LinkedIn and now Twitter have put your very secret jumble of letters, numbers, special characters in jeopardy. And as people tend to gravitate toward convenience, they reuse passwords for several applications. Who can memorise all the different passwords we have in our private and professional life? No one, except perhaps a password manager – a software component designed for storing passwords.
Economic impact of password-based authentication
Ok, I have quite a few viewpoints on how passwords are hurting our economy. And it truly surprises me that we still haven’t seen a globally accepted replacement for this technology which was invented decades ago. Yes, we’ve seen attempts, e.g. by government, issuing electronic ID cards to citizens – Finland was the first one and, since the launch of the eID in 1999, the number of active users still remains very low. PKI (Public Key Infrastructure) was all the rage in the early 2000’s and multiple countries launched their eID programs. So far, only Estonia has been able to pull it off effectively. But what is the real impact to our economy by keeping passwords?
Most applications requiring a login ask for one form or another of the password (here I also include social media identities like logging in via Facebook). But the password is the poorest of choices to implement if you’re building an omni-channel strategy, embracing your customers through web and mobile. A viable alternative is needed, and there are some very good choices.
Reluctance to remove passwords may also prevent you from developing new online services for your customers (or citizens). If you think that you cannot put your idea into reality because passwords (or social media identities) are not enough to protect your services, you should investigate – there are plenty of alternatives out there.
Plenty of studies out there tell you that yet another registration form with a new password is the quickest way to lose a visitor. Yes, you can convert a visitor using an existing social media identity, but that’s not always sufficiently secure.
In a B2B case it’s the same, if not even worse. E.g. if an organisation is comparing which external service to use, and the first one offers Single Sign-On (SSO) from their own network to the service, but the second will require every new user/employee to create a new identity and password… which will they choose? Are you losing out to competitors because of an inconvenient customer experience?
A lot of the biggest data breaches thus far have involved password databases being hacked into. My own secret has been pwned twice, with most internet users having been pwned at one time or another. Depending on if you’ve reused the password across other services, the case of being pwned might be negligible or might create long lasting problems for you. The effects are also highly dependant on what kind of authentication the applications storing your data are using. Think of online banking, insurance, utilities, healthcare – if you reused your password as the provider didn’t offer proper authentication alternatives. If your provider uses this weakest type of authentication (the password), you might be in real trouble. For these types of services the password must go. Identity theft has a direct impact on your own economy – but also for service providers as they suffer losses through tarnished reputation, loss of customers and much more. If it’s a bad enough breach, it can end the business.
The password must go – but why hasn’t it?
Like the terrible ideas mentioned at the start of this article, such as tobacco, passwords have enjoyed decades of being ‘good for you’. Now the evidence is out there – they are not. So, why is it still okay for online services to enforce them on their customers?
To learn about how companies have overcome this burden, increasing the security of their services with identity and access management functionality, visit www.ubisecure.com/customers.