Blog article
See all stories »

Usernames and passwords: everybody hates them

"Many Americans would rather clean toilets than try to come up with a new username or password for sites requiring online logins, a new study shows."* 

Protecting confidential information within biller self-serve websites through enrollment, and the choosing and remembering of a unique username and password is a process that is universally hated by consumers. So, the question is: if everybody hates it, why is it still so prevalent?
 
As a test, I called up my utility, my insurance company, my bank and my credit card provider: Each time I was asked one, two or three very simple questions to ascertain my identity. I was then allowed full access to my account information. If I can do this over the phone, why can’t I do it online?
 
Delta is the only website I know of that had this very convenient way to access my SkyMiles account and I never had any trouble logging in. Recently they too moved to usernames and passwords. I have since reset my password three times and called them twice because I forgot one or the other. It’s been a lousy experience for me, and one that has already cost them more than $50 in customer service.

Enrol online and you assume all the risk
In all instances the biller knows enough about their customers to eliminate the need for usernames and passwords. Instead, billers could present a set of questions based on customer's personal information, known to both parties (referred to as shared secrets) – such as partial social security or credit card number, date of birth or a combination of these. The less sensitive the information being accessed, the less stringent the questions can be. A utility and a credit card provider would have very different levels of questions.

So why do most/all billers still request usernames and passwords?  The answer is in liability. The biller is passing the ‘risk’ of transacting online onto their consumer. 

Consumers inevitably use the same usernames and passwords as often as possible and in many instances they are so simple that they can be guessed or hacked with ease. Thus this process is simply not secure. Research published in Digital Journal proves this:  ‘Password’ is the number one chosen password and ‘123456’ is the second. The biller allows this, as they have passed the onus onto the consumer to create good passwords.

There is also massive cost to the biller: Forgotten passwords and other password related problems are the second most common help desk call. (According to Forrester Research, the average cost of a help desk call is about $25.)

In summary:

  1. Customer created usernames and passwords are not secure
  2. It’s a terrible customer experience
  3. It’s costly for the biller
  4. It’s high risk / not secure for the customer

There has to be a better way. There is a better way:

It’s time to eliminate usernames and passwords forever! You can do so while maintaining the appropriate levels of security, and delivering the best possible customer experience. 

 

4747

Comments: (8)

A Finextra member
A Finextra member 01 February, 2013, 07:24Be the first to give this comment the thumbs up 0 likes I agree with this. Just to be fair though most organisations holding sensitive personal data do insist on stronger passwords at setup to avoid the really weak common examples you mention.
Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune 03 February, 2013, 15:52Be the first to give this comment the thumbs up 0 likes

In this day and age where people bare their souls on Facebook / equivalent, I wonder if any shared secret is really known only to the biller and the customer. In the interest of avoiding repetition, let me refer to my comments here.

Martin Bailey
Martin Bailey - Temenos - Hemel Hempstead 04 February, 2013, 18:56Be the first to give this comment the thumbs up 0 likes

I completely agree;

http://bluedeckshoe.com/2012/10/15/are-you-who-you-say-you-are/

Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune 04 February, 2013, 19:17Be the first to give this comment the thumbs up 0 likes

I think this Microsoft Research paper gets it absolutely right when it says, "Despite countless attempts and near-universal desire to replace them, passwords are more widely used and firmly entrenched than ever... and not only will passwords be with us for some time, but in many instances they are the solution which best fits the scenario of use."

A Finextra member
A Finextra member 05 February, 2013, 08:54Be the first to give this comment the thumbs up 0 likes

An excelent blog that hits a big nail firmly on the head. We were looking at bank security as a featured topic in our Mapa Research Insight series recently and noticed that some banks, in clear acknowledgement of the user name and password frustration, had developed a " light" log-in option for customers.These allow them to more easily view their account status without needing to fully log in.

At the other end that will also explain the widespread use by banks of one time passwords and secure codes for sensitive transactions.

I also remember a UK research finding that said we all used just one password for everything... another problem to add

A Finextra member
A Finextra member 05 February, 2013, 12:59Be the first to give this comment the thumbs up 0 likes

I guess people are not aware enough of single sign on type of solutions out there like lastpass. This alleviates the pain of having to remember complex and multiple user id's and passwords. It doesn't alleviate the risk of social engineered hacks and/or other type of hacks as Obama found out just last weekend ...

 

A Finextra member
A Finextra member 12 February, 2013, 13:51Be the first to give this comment the thumbs up 0 likes

@Erik

Actually I am aware of lastpass - 'thanks' to a najor security breach in 2011:

http://en.wikipedia.org/wiki/LastPass_Password_Manager#Security_breach

A Finextra member
A Finextra member 12 February, 2013, 13:58Be the first to give this comment the thumbs up 0 likes

Yes I'm aware of that. Nothing like a good security breach to keep companies on their toes ...