Time was that a password was what you whispered to your friend to enter the “secret” hideout. The next password for many of us was the 4-digit personal identification number (PIN) we memorized to get money from an ATM. Now, we have many passwords and PINs: for online banking; for airline travel rewards; for investment accounts and credit cards; and for Amazon Prime, Netflix, Hulu, and Youtube subscriptions. Logging into a home network requires a password, as does your cellphone and the system for viewing your increasingly electronic medical records. In the workplace, there are more passwords, sometimes unified but sometimes with different passwords to access individual systems.
I try to never undervalue security and I respect the advice of industry experts who tell us not to use the same IDs or the same passwords. I do want my data protected, I do not want hackers to be able to get information, money or other resources to which they are not entitled.
Are these passwords and protections necessary? Undoubtedly. Can you remember them all? I can’t. Are the rules crazy-making? Absolutely!
Fortunately some industry experts appreciate — or share — our confusion and frustration and are continuing their efforts to improve security without building (metaphorical) walls so high that legitimate users cannot get through. Accordingly, in June 2017, the National Institute of Standards and Technology (NIST), which creates widely used standards, updated its “Digital Identity Guidelines,” with special attention to usability.
Electronic systems need to verify that users, that is, the individuals trying to get access are who they claim to be. This function is called authentication and applies variously to online, telephone, ATM and other remote services. The new guidelines report points out that “from the user’s perspective, authentication stands between them and their intended task.” The text then makes the much-appreciated point that “effective design and implementation of authentication makes it easy to do the right thing, hard to do the wrong thing and easy to recover when the wrong thing happens.” I have not yet found any application that fully achieves this goal, but I am glad this objective has been publicly endorsed by an influential group.
Since it takes time to change, property tests and rollout software changes, some of the recommendations are now starting to show up. Watch for these and consider asking the your company’s service providers about enhancing protections for your company’s digital assets.
Fortunately, many of these changes make sense and some are actually user friendly. Unfortunately, these changes may require users to yet again change their IDs and passwords.
Ideally, more than one approach is used to validate (authenticate) your identity. Multifactor authentication, a long-time favorite of IT security professionals, is coming into wider use. The rubric here is “something known, something owned and something you are.” An ATM card, for instance, is something owned and the PIN is something known. A thief lifting your wallet may get the card but won’t know the PIN… unless you have written the PIN on the card. So don’t.
Some services will send a code to your (pre-registered) email or cellphone as the “something owned” test if you log in from an unknown computer. And, logging into websites or sending online requests may require you to check a box saying “I am not a robot” or to do a simple task such as adding 2+3. These are tools to validate the “something that you are” portion of the test. Fingerprint and facial recognition applications also authenticate users. The strength of these tools is multiplied when used in combination — at least two and preferably three — not to replace each other as single authenticators.
Other usability considerations recommended by the NIST experts include
• plain language instructions and options for alternative authentication;
• clear rather than masked text during password or PIN entry to decrease the chances that we’ll be locked out after “fat fingering” the uppercase/lowercase/number/character password requirements; and
• simpler composition rules (versus forced, mixed characters) allowing more characters so that longer but memorable passphrases can be accommodated.
The new guidelines also propose that PINs and passwords do not need to be changed at “arbitrary” fixed intervals — such as monthly or quarterly — but rather, in response to specific threats.
Michele Braun is director, Institute for Managing Risk at Manhattanville School of Business (Michele.Braun@mville.edu 914-323-1238) and is always ready to talk risk and payments as managing executive of The Crossway Group LLC, a consulting and professional training firm (firstname.lastname@example.org).