As more and more of our existence has moved online, we’ve become ever more dependent on that bane of the connected life: passwords.
They’ve become so pervasive and complicated (one capital letter, one number, one punctuation mark, one emoji, one lock of hair) that it’s become virtually impossible for most humans to use and remember different passwords for all of their accounts.
Nearly three-quarters of passwords are reused on various accounts, with an average of six passwords being used across 24 accounts, according to a recent report by mobile identity solutions firm TeleSign. “It’s a huge problem,” TeleSign CEO Steve Jillings says. “Password fatigue is just out of control.” That means that even though consumers know the basics of “password hygiene,” they’re not practicing it. The two most popular passwords found on the Internet last year were (once again) 123456 and “password,” according to password management provider SplashData.
It seems that there’s a news report every week that some retailer or bank or social media site has been breached, with hackers accessing millions of users’ personal information and financial data. In the past year, 40 percent of consumers said that they had received notice that they’d been breached.
Even the systems put in place to create strong and secure passwords are targets. Last week, password management tool LastPass revealed to users that it, too, had suffered an attack by hackers, although the company said that user data was safe. Some experts say that the solution is to get rid of passwords entirely. Everyone hates them and they’re becoming less effective.
The smartphone solution
Corporate America discovered years ago two-factor authentication (which confirms your identity by asking for a code generated on another device) was a much safer way to verify employees who need remote access. That worked great for single company accounts, but it’s not a good consumer option since people can’t carry around multiple devices with access codes for all of their various accounts.
Enter the smartphone. Its utter ubiquity means that consumers always have access to a secondary device that companies can use to confirm their identity. Big companies like Facebook, Google and most banks now require two-factor authentication with a remote access code in order to access consumer accounts.
Now companies are using the smartphone’s capabilities to go beyond access codes. Apple Pay, the newly released Android Pay, and the soon-to-come Samsung Pay already allow consumers to use their fingerprints to verify payments with their mobile devices. The phones rely on near-field communication chips and require a retailer to have an NFC-enabled device at point of sale, which a growing number of retailers, including Macy’s, Walgreens, and Whole Foods, have adopted. Research firm IHS expects the market for fingerprint scanners on handsets and tablet to reach $1.75 billion in the next five years.
Earlier this year, financial services giant USAA deployed multiple biometric options for logging in to its mobile app. More than 650,000 members have opted to log in to their accounts via touch, voice, or facial recognition, and another 4,000 are signing up every day, says Rick Swenson, a fraud operational excellence and strategic initiatives executive at USAA. “As we see more rapid adoption, it’s exceeding our own expectations,” he says.
Some of the other biometric solutions involve unique identifiers like your heart rate or temperature. Amazon has reportedly patented a system that distinguishes individuals based on the shape of their ear. Taking it one step further, a PayPal executive earlier this year told The Wall Street Journal that the next wave of identification technology includes devices that can be embedded, injected, and ingested in the body.
Experts say that biometric logins could be the norm within two years. While that system is certainly more secure than the current password system, hackers are already trying to find vulnerabilities in those systems. If they succeed the problems for consumers who become victims of ID theft could be even greater that those we currently face. “If for some reason I’m compromised now, I can change my passwords,” says Patrick Peterson, founder and president of cyber security company Agari.
Protect yourself now
While you wait for the latest technology to filter down to consumers there are a few best practices recommended by security experts. First, be sure to use different passwords for at least your most sensitive accounts including finances, email, and social media. (The latter two are important to protect because they could give hackers access the ability to find information or change the passwords on financial accounts.)
Second, set a PIN on your phone. That way if it’s stolen, thieves won’t be able to use it to work their way into the rest of your accounts. If your phone does go missing, report it to your service provider right away, so they can put a block on it making it unusable. There are also some tips on how to remember strong, unique passwords.