Password Security Fail: Are We Unteachable?
I recently decided to book a little getaway. A one-week trip to somewhere warmer and with a bit more sunshine. When you live in Central Europe, it’s pretty easy to get exactly that if you head south. So I decided to check out what flights easyJet offers from Zurich to anywhere south of the 12° longitude line. Anywhere south of Rome should do the trick.
A quick search yielded exactly one option: Porto. I’ll take it! The location was perfect – -8 ° longitude – and the price was right. Time to book!
So, the first step: log into easyJet. Do you know your easyJet password? Or the password for whatever airline or travel booking service you use? I certainly don’t. I saved it in my keychain password on my private computer, but I was trying to book this trip from the easyJet app on my phone during work lunchtime.
After three failed attempts (password incorrect), I was prompted to reset my password. Great. That meant I would have to remember to resave it in my password keychain on my home computer. I went ahead anyway, as I didn’t want to miss out on a great deal.
With my flight booked, and a new and very complicated password to remember, I decided to look for accommodation in Porto. I’m sure you know where this story is going. For whatever reason, I could not log into my booking.com app on my phone. That password was actually stored in my iPhone keychain, but I kept receiving a login error message. Without logging in, I wouldn’t have seen the special deals available to me as a regular customer. Nor would I be able to book if I found something. Unless, of course, I wanted to go through the process of resetting my password for that account, too. No thanks! Frustrated, I gave up for the day.
The customer problem with passwords
Think about all the digital services you have and all the online or app accounts that you use on any given day. The number is probably pretty high. From social media accounts to banking accounts to software accounts to work accounts. The list goes on and on. With much of our working, living, shopping, booking and more taking place on computers, the average number of passwords we have has been estimated at 100. That’s 100 passwords, which should all be unique, which should all contain some combination of lowercase and capital letters as well as symbols and numbers, and which we should ideally remember.
I’m pretty responsible when it comes to setting passwords. I follow all the guidelines outlined in well-thought-through password policies to ensure that my account is as secure as it can possibly be. With a password… And yet I often find myself wondering why companies invest so much time in creating password policies when there are far simpler options available. But more about that later!
On top of that, the password-protection system isn’t always hassle-free, even if you do remember your password. If you look at the FAQs for almost any of your online services, you’ll most likely find a thorough explanation for all the reasons you might not be able to access your account, even though you’re using the correct password or have reset your password. If your password is not working, it might be because you have to delete your cache (which by the way, also logs you out of all the other online platforms you might be logged into. So, very annoying if you’re not using a password keychain!). Your old password may still be stored in your password keychain (as was now the case for my easyJet account on my home computer). You might also be using an incompatible browser or you may just need to update to the latest version of your browser.
And my congratulations to you if you go through all these potential fixes and manage to gain access to your account. Apparently, getting locked out of online accounts is not a particularly unusual occurrence. Especially considering that large companies spend upwards of 3.6 million euros a year on password resets.
But this is all just customer frustration, right? It’s the price users pay to ensure that their data is secure. Well, not really. It turns out passwords aren’t very safe at all.
The corporate problem with passwords
Let’s go back to those password policies I mentioned. Companies invest a good amount of time and energy into creating password policies for their employees and users. These policies set out the parameters for secure passwords – passwords that are not easily hackable. In theory, having passwords that are so complex that users can’t even remember them is a great way to thwart cybercriminals. The problem is that, even now, users are simply not following these guidelines and recommendations. According to a study, the most common passwords are still variations on 12345, password, 111111, and qwerty. Although number 3 for men in the UK is ‘liverpool’ and number 8 for women in the US is ‘iloveyou’. How romantic! And 100 per cent not secure.
Why are users still so flippant when it comes to password safety? Probably because they’ve got those 100 passwords bouncing around in their brains. And although password keychains are a great solution, you’ll remember from my travel booking experience that this solution isn’t necessarily foolproof because it requires you to link your devices or always use the same device.
However, the problem for companies extends beyond security issues. Remember how I decided to abort my holiday booking process because I couldn’t access my booking.com account? This is a common response from users who experience obstacles when accessing their accounts. This is particularly apparent in the retail sector, where a study by Shopify determined that “e-commerce stores lose $18 billion in sales revenue each year because of cart abandonment”. That’s a sizable loss for a problem that is so easy to fix.
Solving the password problem
So, is there a way to fix the problem with password-protected portals and services? Yes! And it starts with the elimination of passwords. That might sound counterintuitive but hear me out. It is very hard to forget your password, lose your password, or use a password that is too easy if your “password” is your fingerprint or your face. And that's exactly what Nevis makes possible with its password-free, biometric authentication technology.
How would this work? Well, let’s say booking.com was to integrate the Nevis Authentication solution. The next time I wanted to search for accommodation using the app, I would open it, follow the prompt to login in using Face ID (in my case, since I use an iPhone), and then I would be logged in. That’s it. No typing in the wrong password several times only to get temporarily (or permanently!) logged out after too many failed attempts, no entering single-use PINs to verify who I am, no resetting my password (because resetting our faces is not only impossible but also super creepy!).
The Nevis Solution makes it possible to integrate two-factor and multi-factor authentication security protocols. This feature can be scaled to the data sensitivity level, with more sensitive data requiring additional verification factors such as a single-use PIN or geolocation. This ensures that access remains as convenient as possible while providing added security if necessary.
There are plenty of online portals and apps that already rely on this technology, especially banks and payment apps (like PayPal). They use it because it is nearly impossible to hack and provides customers with the high level of security that such sensitive data demands. However, this solution also provides a level of ease and convenience that builds brand loyalty. And it can easily be integrated into health insurance apps, retail store apps, and social media apps. The benefit to both customers and businesses is immeasurable. So, if you’re interested in streamlining the login processes, keeping customers satisfied, cutting down on password-related customer service costs, and eliminating unnecessary revenue losses, it’s time to consider a passwordless future!
