Security versus Human Nature: Is the whole somehow less than the sum of the parts
For every new and enhanced login and password authentication that is put in place, we may be improving perceived security while reducing actual security. Is it time for a new security paradigm?
When you stop and think about how many logins and passwords a typical knowledge worker and modern technology user may have in their life as a whole, the number could be staggering. One is tempted to ask what we don’t log into or authenticate anymore, the coffee maker perhaps. On second thought, I wouldn’t be surprised if there are coffee makers out there where you can create a profile that is uniquely yours already, thus requiring you to identify yourself to the system.
• Each security/authentication check has unique – yet somewhat similar – rules for structure and how often they have to be renewed.
• Some use email accounts as login, others use full first and last name and others use some abstraction of your name and others allow complete freedom to create an alias.
• Passwords vary in length and in their requirements for CAPS, numerics, special characters etc.
..and that’s not even considering all the PIN codes we have to manage.
I think that we have enough readily available insights into the limitations of human capacity for memorizing non-patterned and changing information to realize, that we are already beyond what we can reasonably expect to be able to manage in our heads.
Put differently, I think that few people genuinely believe that a person can possibly remember all these unique logins, passwords and key codes and at the same time avoid:
• Creating patterns/systems in their passwords across multiple sites
• Write them down and store them in a text file on their desktop and on a USB stick
• Write them down on a piece of paper and store on their body – in a purse or wallet
• Creating passwords that are simple derivatives of name and number sequences
• Creating passwords that are “entry-friendly” (i.e. easy to type)
Ultimately, human nature will assert itself. We are essentially faced with the following alternatives:
1. Follow the rules and guidelines for logins and passwords across the board – and forget them so often and that we will undermine our productivity by raising tickets and calling helpdesks all the time for reminders or resets.
2. Write them down, thus creating a “master key” that is a lot less secure for both your organization as well as our personal lives.
3. Create patterns in our logins and passwords that we believe we can actually memorize – an obvious choice being a letter-number combination that can updated when the time comes to refresh the passwords. This too lowers the level of security by orders of magnitude.
If you’re still with me, a couple of questions probably come to mind – perhaps along the lines of who is responsible and what can be done about it.
The system providers and security officers can’t reasonably be blamed as their span of influence only reach some of the authentications we have to go through to get access. Looked at individually, the authentication requirements perhaps aren’t unreasonable. It’s the paradigm that is flawed because it doesn’t look at it holistically or even just from a user perspective.
To me, the only “single sign-on to your life” if you will, and perhaps the most obvious alternative, appears to be biometrics. That comes with a whole other set of challenges of course – but at least you wouldn’t have to remember anything.
Eventually, an alternative has to be developed. If not, the level of actual security will go down as the number of authentications required of us, goes up.
What do you think?
Service Delivery Director at Indigena Solutions