We are drowning in passwords. Most people either use the same password for multiple accounts or they use a minimum variation. Both methods are extremely ineffective. Nefarious actors play merry hell with this behavioural pattern every day. As more services are accessible online, greater exposure to increased risk and more harm is a problem for us all. A study this year by the U.K.’s National Cyber Security Center (NCSC) confirmed that. An incredible 23.2 million accounts globally, use “123456” — the most common string on the list.
The National Institute of Standards and Technology (NIST) recommends a number ways to strengthen passwords, including the use of special characters, setting a password expiration period, and avoiding knowledge-based authentication (e.g. who was your best friend in school). No matter how complex we make passwords, their inherent weaknesses (they are knowable and static), means they can never be completely fraud-proof and are always a target for hackers.
The big tech players like Google and Facebook posit themselves as the answer to this single sign on question. But that means you have to be a customer of theirs, with all of the covert and overt implications that brings. And still, the core of the solution is password-based. Still inherently weak. In short, unless you are a savant and can create and memorise a new one for every service, then if your 1 “foundational” password is compromised so are the rest. Your average student has 194 passwords for example. 194 times more vulnerable.
Discussion has more than begun on whether digital identity and biometrics could be the answer to this problem of the digital age. I believe digital identity will eventually replace all legacy forms of proof of identity, but why has this not happened already? In a world where our own, immutable biometrics are readable and transferable into a digital context, surely just ‘who we are’ can be used instead of the dreaded password. Most probably the answer centres on the questions of trust and privacy. How can I trust that my biometrics, by definition my most personal information, won’t be stolen?
There is also the question of convenience. The working assumption is that proving something as advanced as one’s biometric profile is inherently complex, expensive and reserved for the highest sensitivity use cases (eg onboarding with a bank or registering for a government service). In reality that is not the case. There are just too many vested interests. Every company in the world claims customer-centricity. Those who want to put the user at the heart of a digital identity ecosystem might do so, but only THEIR ecosystem. Their intranet of services.
There are some countries who have succeeded with the digital identity framework. Estonia and India are notable examples. In the case of India the Aadhar scheme was remarkable in its scope and ambition even if not its execution. To register over 1 billion citizens and enable them to interact with services, digital and physical, using their unique ID, is no mean feat. And yet still there is no way for me, as an individual, to use my identity as more core, immutable, impenetrable credential. I can’t use it as my password.
The opportunity that weak methods of ID verification (passwords) affords to a cyber-criminal should not be underestimated. The effects can be devastating. According to the 2019 Identity Fraud Study from Javelin Strategy & Research, the number of consumers who were victims of identity fraud was 14.4 million in 2018 and they bore a heavier financial burden than ever before: 3.3 million people were responsible for some of the liability of the fraud committed against them, nearly three times as many as in 2016. For the victims, out-of-pocket fraud costs more than doubled from 2016 to 2018, to a staggering $1.7 billion.
With the technology available today, you would think there is a better way. And there is. I can use my identity, my biometrics, to unlock services. I can have ultimate control of what I share, when I share it and who I share it with. Any business, any government department, any service provider who wants to verify my identity can do so. With my permission. 123456 fewer headaches.