An article on the BBC recently reported: “More than two million stolen passwords used for sites such as Facebook, Google and Yahoo and other web services have been posted online. The details had probably been uploaded by a criminal gang, security experts said It is suspected the data was taken from computers infected with malicious software that logged key presses. It is not known how old the details are - but the experts warned that even out-dated information posed a risk.” At around the same time I received a terrifying email from Adobe:
The impact of this attack on Adobe was so significant that Eventbrite sent me an email stating that my account details were included in the stolen list, and that I had to take safety measures. Phew! At least I learned in bold letters from a third party that my details were in the list!
This incident (and other disheartening facts about passwords) got me thinking about UX in relation to online security and passwords... What are the options if we want to better manage, remember, and easily get rid of multiple passwords?
Password management apps provide a safer way to store your passwords, opposed to passwords saved by your web browser. They store login info for the accounts that the user has selected and they autofill the login form every time the user is visiting a site. Some of them also generate strong passwords on behalf of users. In this way passwords are encrypted and users don’t have to remember them.
“Something you remember and something you have” is the slogan that underpins 2-step authentication. A common example of 2-step authentication is the one used by e-banking systems: to complete a transaction a user receives a token or code via their phone. Most popular e-banking services have implemented a similar process. Although 2-step verification sounds straightforward it doesn't always work perfectly, which can have a negative effect on the user experience. On one occasion I was waiting for Dropbox to text me a security code (required to sign in to my account), but since since there was a delay in the delivery, I kept requesting new codes. This led to a vicious circle of codes becoming inactive because a new code had been generated… In the end I had to wait for 20 minutes to make sure all codes have arrived so I could use the last to login. Excitingly, Google are working on what might be the future of 2-step! They are developing a USB token that can be used as a door key to unlock all online accounts.
Using big (and probably more secure) ecosystems like those of Google, Amazon or Facebook might reduce the risk of having your details compromised. The advantage of using the login details of these ecosystems is that you won’t have to create new accounts or remember a number of passwords. However, if your details for one of these services are stolen then multiple accounts can be accessed. Logging in with Facebook has been around for some time now, but I don’t think it has taken off. On multiple occasions when I have been conducting user research people have expressed a reluctance to mix social media with more serious services. I am not sure if this is the case for Google or Amazon accounts, but these ecosystems do have better reputations (if you can disregard the NSA revelations).
Biometrics as a means of identification are becoming very popular. Facial recognition is common in airports, and in terms of consumer technology, the new iPhone has a fingerprint scanner (probably the first popular product to have such a feature). But do you think that biometrics are a reliable alternative? A team of hackers easily bypassed the iPhone’s fingerprint scanner in a very clever way. From previous research I've done on biometrics, it does not seem to be a very flexible technology. Fingerprint scanners are very sensitive to scars, injuries or sore skin, and iris recognition systems are vulnerable to environmental conditions such as sunlight. Some argue that an alternative could be the recognition of an eye’s blood vessels via a phone’s camera sensor. Not a fan of your traditional username and password combo? Neither is FIDO alliance, a not for profit with a mission to establish standards for online authentication. They are working towards a passwordless future that is based on biometrics or 2-step authentication:
In case you were looking for something more advanced, futuristic and dystopian, then there are solutions for you as well...
IBM are working are working towards a future without passwords, but they have taken biometrics to the next level. They want people to be able to control their electronic devices with their minds. I am worried if such interfaces allow second thoughts.
What better way to keep your passwords safe than having them embedded in your body?
Of course passwords didn’t escape the wearable trend. Nymi, is a bracelet that can replace keys and passwords and it’s available for only $79. I predict that 2014 will a be year in which online security will dominate discussions in technology and will drive innovation in services. Let’s hope that anything that happens will be for the benefit of users. What do you think 2014 has in store for online security?