Our increasing use of computers has heightened the importance of how we identify ourselves to computer systems (identity authentication). I was horrified when a quick count of user names, passwords, and PIN’s I am required to have in use to access my on-line accounts and memberships numbered in the hundreds! An obvious consequence of having this many (in an attempt to avoid too much reuse) is the inability to operate safely and securely and at the same time observe the security advice to not write them down and commit them to memory. This is made even harder when a preferred or regular ‘user name’ isn’t available and you are forced to adopt an automatically generated alternative. If you are lucky, or named ‘Xavier’, ‘Yolander’, or ‘Zenah’, it might contain some letters that are meaningful to you, but these are usually random and system generated with an alpha numeric mix in upper and lower case characters. Some systems also force you to change the password on a regular basis and won’t allow you to reuse any of the previously used passwords, or parts thereof, or repeat numbers in sequence, or use full stops, underscores, or other symbols, or even letters in alphabetical sequence (ascending or descending).
Having just changed laptops I realised how dependent I had become on the machine to automatically insert passwords when it recognises the initial character of a valid user name. Yet it took nearly fifteen minutes to remove any trace of personal data from an on-line airline check-in transaction for a flight using a publicly accessed computer in a hotel, this taking longer than the transaction itself! So now I’m reduced to a listing of accounts with user names, passwords, i.e. a directory of what I have to remember, but where do I store it, and do I dare take it anywhere with me? This ‘PIN and password blindness’ drives some unusual behaviour. My mother-in-law used to embed her ATM PIN within a fictitious telephone number in her address book as a way of remembering what numbers to use. So it should be no surprise that the most frequent call made to computer help desks is password related, especially when the user returns to work following a vacation!
Research conducted during 2005 suggested that adults on average had two PIN’s and eight usernames to remember, and less than 60% of respondents could remember two of them unprompted. One in four had twice this many and some have 45! It would be interesting to see if in the last three years this trend had increased, especially following the introduction of Chip and Pin card transactions and the growth of Broadband, internet usage, and on-line transactions. I can’t believe my experience is so abnormal and would be interested to hear if you have a similar experience.
Whilst speaking to a group of South African retailers in Cape Town we discussed the likelihood of using biometrics at the point of sale, a move that apparently many South African retailers are quietly supporting, as are the Banks in an attempt to counter ATM fraud and customer authentication. The use of fingerprint identification is being seriously evaluated in order to remove the use of PIN’s. This was all looking promising until an unwitting bank official made a bullish statement in a newspaper article that fingerprint identification would make it difficult for the ATM criminals, as “it would mean that they would have to chop off a person’s finger to gain access to their money”. In a country that has experienced some of the world’s highest crime rates and personal attacks I’ll leave the rest of this tale to your own imagination!
Registration is a prerequisite of using many on-line services these days, and nearly everything you enter into, such as travel loyalty schemes, supermarket discounts, cashless parking, all have an on-line element to them that requires that you first register, often including your payment details (i.e. credit card and bank account numbers), and hence generates even more user names and passwords. (See ‘Thinking Aloud No 3’). Just reflect on how many of your Christmas gifts this year will require on-line registrations for guarantees, after sales service, as they incorporate a ‘software key’ which you have to access on-line to enable use of the product.
A recent change of job brought this ‘password scrabble’ to a head for me. The number of ‘registrations’ that use an email address as a proxy for username forced a string of changes. This was a real test of my recall of ‘passwords’ and even memorable events; places; and the meaningful security question prompt, especially for those less frequently used or dormant accounts. So frequently used is my mothers maiden name, first school, road I grew up in, favourite place, the name of my pets, that they must now cease to be secure, especially as you increasingly run the risk of your bank records or patient medical records being on a computer disc that is ‘lost in the post’, or on a laptop stolen from the unattended boot of a civil servants car!
I noticed that the instructions on a 2006-7 tax form enthusiastically promotes the use of an on-line alternative and encourages you to “Register for the on-line service at www.hmrc.gov.uk and select Self Assessment under do it online”. What they conveniently omit is that in order to register you are first issued with a 12 digit alpha numeric code. Then you need a ‘Unique Tax Reference’ (i.e. a 10 digit number). As I didn’t have a UTR, or any correspondence containing same, for security reasons the Revenue would need to post this to me, with apparently a ten day lead time (heaven forbid that someone might steal my code and pay tax on my behalf)! I would then have to request a PIN, which required yet another posting from the revenue, and another ten day delay. In total somewhere between 14 and 20 days just to register. Surely this severely undermines the principle of convenience, speed, and ease of operation that an on-line offering is meant to promote, whilst adding to a growing list of identification devices.
We appear happy to run the risk of increased security issues for the perceived convenience and cost effectiveness that digital transactions bring. Our ‘on-line’ persona comprises a combination of secret codes, numbers, and phrases, yet despite our best attempts at securing the technology through encryption, it is the user that is the weakest link. The anonymity of using cash in transactions is once again becoming rather appealing!
 Research conducted by ‘Teamspirit’, a financial services marketing company, May 2005.