29 November 2014

44975

Retired Member

700 | posts 2,198,675 | views 834 | comments

Usernames and passwords: everybody hates them

31 January 2013  |  3880 views  |  7

"Many Americans would rather clean toilets than try to come up with a new username or password for sites requiring online logins, a new study shows."* 

Protecting confidential information within biller self-serve websites through enrollment, and the choosing and remembering of a unique username and password is a process that is universally hated by consumers. So, the question is: if everybody hates it, why is it still so prevalent?
 
As a test, I called up my utility, my insurance company, my bank and my credit card provider: Each time I was asked one, two or three very simple questions to ascertain my identity. I was then allowed full access to my account information. If I can do this over the phone, why can’t I do it online?
 
Delta is the only website I know of that had this very convenient way to access my SkyMiles account and I never had any trouble logging in. Recently they too moved to usernames and passwords. I have since reset my password three times and called them twice because I forgot one or the other. It’s been a lousy experience for me, and one that has already cost them more than $50 in customer service.

Enrol online and you assume all the risk
In all instances the biller knows enough about their customers to eliminate the need for usernames and passwords. Instead, billers could present a set of questions based on customer's personal information, known to both parties (referred to as shared secrets) – such as partial social security or credit card number, date of birth or a combination of these. The less sensitive the information being accessed, the less stringent the questions can be. A utility and a credit card provider would have very different levels of questions.

So why do most/all billers still request usernames and passwords?  The answer is in liability. The biller is passing the ‘risk’ of transacting online onto their consumer. 

Consumers inevitably use the same usernames and passwords as often as possible and in many instances they are so simple that they can be guessed or hacked with ease. Thus this process is simply not secure. Research published in Digital Journal proves this:  ‘Password’ is the number one chosen password and ‘123456’ is the second. The biller allows this, as they have passed the onus onto the consumer to create good passwords.

There is also massive cost to the biller: Forgotten passwords and other password related problems are the second most common help desk call. (According to Forrester Research, the average cost of a help desk call is about $25.)

In summary:

  1. Customer created usernames and passwords are not secure
  2. It’s a terrible customer experience
  3. It’s costly for the biller
  4. It’s high risk / not secure for the customer

There has to be a better way. There is a better way:

It’s time to eliminate usernames and passwords forever! You can do so while maintaining the appropriate levels of security, and delivering the best possible customer experience. 

 

TagsSecurityPayments

Comments: (8)

Robert Avery - Alpha Financial Technology Services Ltd - London | 01 February, 2013, 07:24 I agree with this. Just to be fair though most organisations holding sensitive personal data do insist on stronger passwords at setup to avoid the really weak common examples you mention.
Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune | 03 February, 2013, 15:52

In this day and age where people bare their souls on Facebook / equivalent, I wonder if any shared secret is really known only to the biller and the customer. In the interest of avoiding repetition, let me refer to my comments here.

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Martin Bailey - Temenos - Hemel Hempstead | 04 February, 2013, 18:56

I completely agree;

http://bluedeckshoe.com/2012/10/15/are-you-who-you-say-you-are/

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune | 04 February, 2013, 19:17

I think this Microsoft Research paper gets it absolutely right when it says, "Despite countless attempts and near-universal desire to replace them, passwords are more widely used and firmly entrenched than ever... and not only will passwords be with us for some time, but in many instances they are the solution which best fits the scenario of use."

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Mark Pavan - mapa research - London | 05 February, 2013, 08:54

An excelent blog that hits a big nail firmly on the head. We were looking at bank security as a featured topic in our Mapa Research Insight series recently and noticed that some banks, in clear acknowledgement of the user name and password frustration, had developed a " light" log-in option for customers.These allow them to more easily view their account status without needing to fully log in.

At the other end that will also explain the widespread use by banks of one time passwords and secure codes for sensitive transactions.

I also remember a UK research finding that said we all used just one password for everything... another problem to add

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Erik Bogaerts - Naqoda Ltd - London | 05 February, 2013, 12:59

I guess people are not aware enough of single sign on type of solutions out there like lastpass. This alleviates the pain of having to remember complex and multiple user id's and passwords. It doesn't alleviate the risk of social engineered hacks and/or other type of hacks as Obama found out just last weekend ...

 

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
A Finextra member | 12 February, 2013, 13:51

@Erik

Actually I am aware of lastpass - 'thanks' to a najor security breach in 2011:

http://en.wikipedia.org/wiki/LastPass_Password_Manager#Security_breach

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Erik Bogaerts - Naqoda Ltd - London | 12 February, 2013, 13:58

Yes I'm aware of that. Nothing like a good security breach to keep companies on their toes ...

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Comment on this story (membership required)
Log in to receive notifications when someone posts a comment

Latest posts from Retired

7-day account switch: customer empowerment or indifference

18 June 2014  |  1898 views  |  1  |  Recommends 0 TagsRisk & regulationRetail banking

On Reinventing Money.

03 June 2014  |  1280 views  |  0  |  Recommends 0 TagsPaymentsInnovation

Operational Lessons for New Boutique Asset Managers

27 May 2014  |  656 views  |  0  |  Recommends 0 TagsRisk & regulation

Trading System Failures Cannot Be Our Norm

21 May 2014  |  1513 views  |  0  |  Recommends 0 TagsRisk & regulationInnovation

Around the Clock Tweeting

15 May 2014  |  1987 views  |  0  |  Recommends 0 TagsMobile & onlineRetail banking
name

Retired Member

job title

company name

member since

2014

location

Summary profile See full profile »

Retired's expertise

What Retired reads
Retired writes about

Who is commenting on Retired's posts

Rasvan Stanescu
Sian Bentley
Tony Wenzel
Jorge Yui
Ketharaman Swaminathan
Mark Pavan
Vishal Chaturvedi
Matt Scott
Geoffrey Barraclough
Thad Peterson
Marinka Ryan
Alexander Peschkoff