Cheap and easy

Mark Dixon has an excellent point in this post on why we still use passwords:

It was ease of use, not a technology-driven obsession with safety,  that led to wide adoption of the seat belt.

I think we face the same thing with passwords.   Intellectually, it is simple to understand why we should get rid of passwords.   However, in practice, widespread adoption will be triggered more by ease of use than perception of safety.  When an easier method for authentication emerges, people will adopt it – not because it is safer, but because it is easier.  If that easier method is also more secure, voila!  We will have achieved our desired result.

While I agree with Mark’s point, there is an important distinction that is not getting made in this discussion, the difference between personal and professional accounts. And this distinction goes right to the heart of Mark’s argument.

For personal accounts (for example your Facebook, Yahoo, LinkedIn, or Twitter account) ease of use is the single biggest driver. People will not, in general, use another authentication technique that isn’t as easy as passwords. Actually it has to be easier than passwords by an order of magnitude or it won’t displace the incumbent technology. It also has to be understandable to the average user so they believe that it really is secure (one could argue this is really just another aspect of ease of use). Try explaining client certificate authentication to your grandmother if you don’t believe me.

Also, the sensitivity of the account really makes little difference. Most users won’t treat their on-line banking account any different than their Facebook account. Bank of America offers a SecureID option for their on-line banking. That should be a no-brainer right? I don’t have any numbers but I would be shocked if they were getting anywhere north of %1 adoption of SecureID by their customers.

For professional accounts (your PC, enterprise resources, or hosted service account) ease of use is not the primary driver, cost is. Cost is understood by most enterprises to mean the monetary cost of your credential plus the measurable cost to support you using it. I used the word “measurable” for a reason. Most companies don’t care how hard it is for you to understand and use a specific authentication mechanism if you are a salaried employee. That cost is hidden to them. On the other hand the cost to the company for you to call the help desk if you have an authentication problem is measurable and tracked along with the cost to issue new credentials when needed.

For both personal and professional accounts, passwords rule the roost because they are easy to use, cheap to deploy, cheap to support, and easy to understand.

But if an authentication mechanism becomes popular that is cheap to deploy and support, it may have a chance to displace passwords for professional accounts.

Advertisements

4 responses to “Cheap and easy

  1. Pingback: Seat Belts and The Password Problem « Agility Loop

  2. Yes, the DoD can make their people do it. So can any company that wants to spend the time and money.

    But consumer oriented serives can’t (as a practical matter) make their customers switch to strong authentication and most business aren’t willing to spend the time and money to increase security.

  3. Taking a user-centric view, I recently advised a client to offer strong authentication as an option.

    Let’s assume that a system/web site contains information that some/many users might consider sensitive. The usage agreement could indicate that the user accepts the risks and responsibility of having an account on the site. The operator could mitigate the user’s risks by offering an optional strong credential (e.g. it could be SMS text to mobile phone).

    The beauty of this is that the organization’s risk is reduced at a low cost, and the user who is concerned about access to their sensitive information has an option to upgrade their credential.

    Those that value convenience can keep using passwords — but they would have a shallow argument in the event their password-protected account was compromised…

    Mike

  4. Thanks for the link to my blog.

    I agree that a distinction exists between enterprise and consumer applications. For example, my company mandates strong authentication by requiring that I use a security token device to access the company’s wide area network.

    Most consumer web applications won’t require that method because it is too costly and cumbersome.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s