I’ve been asked to write some pieces about consumer and security issues at IBM’s SecurityIntelligence site. The first one was released today. There’s a quick abstract below, but you can read the whole piece on IBM’s page.
Even I was surprised by two things working on this story: First, few people have turned on two-factor authentication at services like Gmail. But second, how many different kinds of two-factor signups exist. Consumers have to remember 150 passwords, I wrote recently. Now they are supposed to remember 150 different kinds of text messages, authenticator apps, and so on? It’s too much.
I’ve been writing about moving “beyond the password” for my entire career which is….longer than I care to mention. There’s plenty of reasons for it, and I’m always loathe to blame consumers and workers. After all, they are just trying to get through the day, get their kids to school, not get fired by their boss, work through the fight with their spouse, eat better because the doctor said so, etc. etc. So when people fail to use something that supposedly helps them, I see it as a design flaw, not laziness. The pros, the software engineers and privacy professionals, they should just take care of these things and make it easy on the rest of us. That’s their job.
It’s not easy, however. And there are things smart people can do to protect themselves in the meantime. You can and should turn on two-factor authentication. Here’s my post on how to do that. Meanwhile, below, I explore why two-factor has been slow on the uptake, and offer a glimpse of hope for the future.
Decades into the campaign, the effort to wean users off simple password protection hasn’t gone very well. Fingerprints, iris scans, tokens… these methods have all been tried and met with only limited success. The security industry’s best chance yet? It’s a sort of half-measure that lets users keep their passwords but adds a second element (or “factor”) to logins.
However, data about the uptake of two-factor authentication (2FA) means this once-promising strategy also hasn’t succeeded. A combination of usability, fallibility and just-plain stubbornness has preserved the role of plain-old passwords at many places.
What’s so fallible about 2FA? It often relies on consumers’ smartphones. A bit like Social Security numbers in the U.S., it’s a role smartphones weren’t designed to play. So, many implementations haven’t proven to be robust.
Help might be on the way, however, as mobile carriers are working together on a solution. If they pull it off, perhaps two-factor might finally catch on with the masses — but that seems a distant possibility at the moment.
(Disclosure: I received a small fee from IBM for writing this piece; the firm did not tell me what to say.)
If you’ve read this far, perhaps you’d like to support what I do. That’s easy. Buy something from my NEW LIBRARY AND E-COMMERCE PAGE, click on an advertisement, or just share the story.