The more complicated a password or authentication routine is, the more likely it is that people try to make their lives easier by circumventing it somehow. Trusted Cloud partner VTT conducted a research on authentication methods.
Convenience plays a big part also when using very traditional authentication methods such as passwords . In order to make remembering them easier, users resort to using the same password in many places or choosing one that is easy to remember – which, incidentally, also makes it easy to guess.
In her qualitative study the consumer researcher Katri Grenman from VTT asked Italian and Finnish users their opinions on ten different authentication methods. The methods ranged from the very traditional (password, PIN code, mobile authentication, chip card reader) to biometric (facial recognition, fingerprint recognition and an injected RFID chip under your skin) and compared these with a picture-based authentication, where users selects points of interest in a photograph and proceeds to log in by touching the points in a predetermined sequence.
"Users were asked about their perceptions on the authentication methods’ safety, convenience and the first impression regarding the lesser-known techniques. This was meant to gauge what kinds of things are important to people, how much weight they put on safety vs. convenience and what needs to be communicated to users about the authentication methods they use."
In addition to the qualitative discussions, users were also asked to rate the different authentication methods using an experience map; a tool, which allows people to rank different samples on an axis between two opposite attributes (e.g. convenient vs. inconvenient).
"This allowed us to gain insight about the attributes people associate with different authentication methods and the underlying attitudes people might not be able to communicate directly."
According to Grenman changing things so that they become more inconvenient is hard to sell.
"All in all, people are reasonably happy with what they’re used to – because they’re so used to it. On the other hand, changing things so that they become more convenient could also have an adverse effect and make people feel that the system has become less secure.", Grenman says.
Most of us have to deal with different authentication methods on a daily basis. We sign on to our computers and mobile devices, we authenticate ourselves when making credit card purchases or online payments – chances are most of us are so used to many of the current methods of proving your identity or access rights that we don’t have to think about them much. We might forget your authentication details to a seldom used service every once in a while, or maybe our office computer password during your holiday, but these issues are usually quite easy to fix. After all, although sometimes inconvenient, these methods exist to protect our data from leaking to outsiders.
"It would be most convenient for us all to access all our resources without having to type one single password or pin code anywhere. Unfortunately, things like these make it also very convenient for others to access the same information."
Social media authentication is a topic that divides people into two quite opposing groups. On the one hand, many feel it’s very convenient to access several services with the one strong password you have memorised for your social media service of choice. These people often feel that the big companies like Facebook and Google take the necessary security precautions and protect your sign-on data carefully.
"On the other hand there are the people who might trust the companies not to leak their log-in details, but don’t trust them with anything else.", Grenman says.
The shorter the password, the easier it is to guess – not to mention the most common passwords like 123456, password and qwerty. According to Ofcom’s report on Adults’ media use and attitudes in the UK , 64 % of Internet users use the same password for several websites. One fifth of users admitted to using passwords that are easy to remember, such as names and birthdays.
The optimal balance of security and convenience
In companies there are usually policies about the quality of passwords and IT security measures. The culture of a company determines to a great extent how employees will help keep the company’s information in good hands. An organization’s willingness to tolerate inconvenience has a profound effect on the security of its information.
"Some people don their tin foil hats and padlock everything while at the same time others have a devil-may-care attitude and basically welcome everybody with open arms. In the context of living a hassle-free, normal life, neither extreme offers a very good solution. News stories about data leaks, viruses and frauds abound, and many novice users can be wary of nearly everything – and still end up falling for a hoax if it is convincing enough. In order to get anything done online, a user must give certain information. The level of information they share depends on their own comfort level and their sense of security."
According to Grenman people often have different security levels for their own actions as well.
"It’s all fine telling people to use a different password for every service, but how realistic is that? If a person needs an account e.g. to access some content online, he might not feel that account information needs to be guarded like state secrets. Often people have accounts that have limited of even fake information for unimportant services, and choose better and unique passwords for their more important accounts. If you bring the security thinking to the right level, it makes it easier for the user to commit to the security procedures and recognise what information really is valuable and needs to be protected carefully."
Online life also means that you have to rely also on others to keep you safe, no matter how diligent you are yourself. Users have to make choices on who they trust and with what. Different passwords, authentication methods and usernames take a lot of memory power to remember, especially if you don’t feel comfortable being logged in at all times or having your web browser remember them either.
"Highly-publicised and very embarrassing data break-ins, such as the Ashley Madison case, remind us that it doesn’t matter how well you guard your own identifiers if the service you use neglects to take necessary care of all possible security aspects."
"All in all, people are reasonably happy with what they’re used to – because they’re so used to it. On the other hand, changing things so that they become more convenient could also have an adverse effect and make people feel that the system has become less secure."
Every alert makes it less likely that people will pay attention to the next one
"Does having more information readily available – or even thrown at your face like in the cookie acceptance case – really make it easier to acknowledge real risks and be able to take appropriate action to protect yourself? Or does it actually just add to the constant overload, where sifting through pieces of information in order to find the things that are relevant to you is increasingly difficult? What kinds of factors are important to users when they estimate whether an authentication method fulfils their demands for security and convenience?" Grenman asks.
PixelPin is a UK-based company who offers the technology replacing the need for passwords byusing four points on your own personal picture.
Tired of passwords? Other options
Passwords are also popular, possibly also because that's what we know and are forced to use. There has not been a clear, trustworthy and convenient alternative available for the masses. Often it also comes down to the service provider to decide the means of authentication used to access their system – it's not up to the individual user to make the choice between different methods or even the length of their password.
While passwords and bank authentication are widely used today, fingerprint authentication – that was also among the top three authentication methods in the study – is not very common, at least not in mass-market customer applications. What accounts for the popularity of fingerprint authentication, then, if not familiarity or past good experiences?
"It is probably mostly due to their convenience – they are literally always at your fingertips, ready to prove your identity and gain you access to systems and places. The only experience most people have of using fingerprints as a means of authentication comes from Hollywood movies or flimsy smart phone applications - neither of which gives an entirely accurate description of how the authentication work at its best. Fingerprint authentication has its own set of problems, of course, such as the inability to change your prints.", Grenman says
"Although it is possible, yet unlikely, that somebody could copy your fingerprint information, cut off your digit or force you to use your finger to gain access, it might be reassuring to know that there’s usually no way this could happen without you knowing about it."
According to Grenman online password and credit card information leaks leave you very vulnerable, because it might take ages to find out somebody’s been able to access all your information.
"It’s important to get the feeling that you are in control of your own information and data and who gets to access it. What it all boils down to is this: whether it is about using social media authentication, new solutions from new companies or established security players, trust is important. Trust is slow to build but quick and easy to lose. The feeling of being in control is a very important piece of the trust puzzle. "
Top 3 authentication methods in Finland and Italy
1. Banking account with password and codes
3. Fingerprint recognition
3. Bank access through