Password security

People don’t like passwords – and vice versa

When was the last time you looked forward to enter your username and password? Never, right? Authentication is a necessary evil which stands between you and what you want to do. Many of us understand why we need authentication, but is it really necessary to enter username and password  all the time? Popular services like Facebook, Google, Yahoo and LinkedIn, can have you logged in over long periods and allows you to be remembered on your devices. This sets expectations for how we want to interact with services and sets the bar for what a good user experience is.

The user expects quick access to an application. More than five seconds is not acceptable

In the digital world, people always value convenience over security, in most cases without realizing this. We use weak passwords (which as easy to guess, for example the ever popular “123456”). We use the same password for all applications (which means that an attack on one application may give the attackers access to other applications). We do not lock our mobile device. If we use different passwords, these are written in an open note on the mobile device (I was helping a friend, when I realized that her phone did not have a password, and all the application passwords were stored in an open note called «Passwords». And she didn’t understand why this was a problem). We write down the password and hide it under the keyboard.  Few people enable two-step (i.e. authentication which adds additional security, such as a one-time code to your cell phone, or a code generating application) authentication (this is even true for people with high technical knowledge). And in many cases, the users do not understand that any of this is a problem.

“Nearly one in five enterprise users have passwords that are weak or shared” (www.techrepublic.com)

But still, most of us lock the door to our house and our car. And we do understand that the threat is that somebody can steal our things. However, stealing your digital identity may inflict far more damage. So why have we, as the expert community, failed to communicate this to the users; that protecting your digital assets is equally important, if not more, than protecting your physical assets. The least we can do, is to try to reduce the burden on the user.

Security is seen as the responsibility of the service provider. This is partly correct, but if I am negligent (such as not protecting the password), I can be held responsible. Service providers must ensure that high security is also convenient for the user, and that this is enabled by default.

User input (such as typing your e-mail address and password) on a mobile device is not very convenient due to the small keyboard. It is important to avoid having the user typing in data as much as possible, for example by prefilling the input fields. Unfortunately, most of the eID methods (e.g. BankID in Norway) do NOT support pre-filling, so you have to type in your email and password every time. (A small helpful tip: On your mobile device, create a keyboard shortcut “gma” which enters your gmail address or “phn” which enters your phone number).

The fastest and easiest-to-use applications will win the race, regardless of security. The popularity of the Norwegian Vipps app (which is a person-to-person payment scheme), is based on its simplicity. In Norway, a typical pre-Vipps money transfer required a BankID authentication twice – both when opening the application and when transferring the money. With Vipps you only use your fingerprint once to transfer money.

 

Today it is possible to switch banks in minutes, with no (or very minimal) cost. With more and more self-service taking place, this means that the consumers will flow to the banks with the best and easiest-to-use interfaces, combined with the lowest cost for usage. The banks are pressured to provide cheap and easy-to-use services, as well as being responsible for the security, and brand loyalty can no longer save them from users switching to competition.

“Millennials are far more likely to switch banks than other consumers. Nearly one in five said they switched banks in the last year, with many moving to online-only banks” (www.thefinancialbank.com)

With PSD2 (the European Payment Services Directive 2), the requirement to do SCA (Strong Customer Authentication) will increase. This means that the user will have to authenticate using a two-factor method, much more often than today. To make this as painless as possible for the users, the friction of the authentication must be reduced.

Signicat MobileID is our secure authentication solution, using only a fingerprint or a PIN for authentication. After an app-download and a quick registration process, which involves binding the user’s mobile device to the account using a QR code, the app is ready to use. Whenever a second step authentication is required, the app will pop-up, and user will authenticate with fingerprint or PIN. That’s it. It is also possible to integrate the functionality into an existing business app, using our SDK.

The next generation authentication will be data-driven, and by using machine learning, your cell phone can determine if it is in your possession, and doesn’t even bother you with the fingerprint. This is done by analyzing things like your location (are you in a familiar place), the available WiFi networks (have these WIFI networks been in your vicinity before) and the gyro sensors (is this really you, or is somebody else carrying your phone?). Even more sensors may be added to make this identification even more secure.

Click here to learn more about low friction authentication using Signicat MobileID.

Blog post by Magnus Mauland and John Erik Setsaas, Signicat

Posted in Blog.