About


Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.

Take On Payments

« Catch Me If You Can | Main | Would Consumers Ever Give Up Their Passwords? »

April 17, 2017


Will the Password Ever Die? Part 1

It has been less than five years since the magazine Wired, in its November 2012 cover story, called for the demise of the password. It has been more than 13 years since Bill Gates called for the elimination of the password at a 2004 RSA conference. Despite these calls to action, the user ID and password remain the most common form of authentication that consumers use online.

Why has the password continued to defy its terminal prognosis? Several reasons come to mind. It remains the most ubiquitous authentication methodology. Even when you factor in the significant costs of companies supporting the need for password resets, I suspect the ongoing operating costs are lower than for other forms of authentication. The reality is that the password is generally a sufficient security tool for accessing low-value applications.

So why is the password criticized so often? Most of the weaknesses in the password are based on the latitude that customers have with selecting and managing their passwords. Surveyed consumers claim to have security in mind when they create passwords, but we have seen the stories about the most common passwords being "password" and the numbers "1-2-3-4-5-6." There is also the practice of using the same password for multiple sites. Frequently, the consumer is not required to use special characters (or the application doesn't accept special characters), nor to change their password on a regular basis.

Despite the frequency of data breaches and all the fallout that comes from them, online merchants are extremely leery of adding additional overt authentication requirements (multi-layered or multi-factor) for fear consumers would abandon their shopping sessions. Given that merchant reluctance along with consumers' general exemption from financial liability if fraudulent transactions are made when their account is hacked and online access credentials are compromised, how likely is it that password weaknesses will improve? So what can be done to strengthen authentication and produce a higher level of confidence that the customer generating a particular transaction is, in fact, the person authorized to perform that transaction?

We will look at some research into the consumer's willingness to adopt additional or alternative authentication methods within the next few weeks. Until then, let us know your suggestions for improving consumer authentication.

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

April 17, 2017 in authentication , consumer protection , cybercrime , data security | Permalink

Comments

With many websites willing to "remember" passwords for future use, it is no surprise that some groups would not want to give up using something they don't need to remember. Perhaps some vendors or banks should turn this option off, in order to protect some consumers from themselves.

Posted by: Barbara Guhanick | April 24, 2017 at 01:24 PM

As a consumer, I would appreciate a vendor, whether it be a shopping site, bank, medical heath record site, etc. , to provide an easy to use software VPN application. Besides passwords, knowing that the link between my endpoint and the other is protected by more than a password, or internet security (https) would be wonderful. Layered security is really the key.

Posted by: Barbara Guhanick | April 24, 2017 at 01:14 PM

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

Google Search



Recent Posts


July 2017


Sun Mon Tue Wed Thu Fri Sat
            1
2 3 4 5 6 7 8
9 10 11 12 13 14 15
16 17 18 19 20 21 22
23 24 25 26 27 28 29
30 31          

Archives


Categories


Powered by TypePad