Zack Whittaker’s post on whether we still need usernames/passwords is fueling an interesting debate at ZDNet.  The premise is familiar  – everyone is tired of storing their hundreds of passwords in an Excel sheet or a password management app.  Wouldn’t it be nice if all websites would just “join hands” so to speak, and create a magic unified ID access mechanism that would be simple, easy to use, super secure and not cost a zillion dollars to implement?

The debate on usability vs. security somehow always leans towards usability as the obvious choice (we all like “simple”).  Yet every day, all around us we are faced with the very same dilemma:

  • Airport security. Yes, I want to just show my ticket at the counter and go straight to the airplane door … no frisking, please.  Unfortunately, not all people are getting on the plane just to travel from A to B.  Some of them try to carry explosives on board.  Our concern for safety will allow for more stringent access control to the planes.
  • Government. The Bolshevik revolution started with the social ideal of universal equality.  The Communists believed that every man is inherently good, if he was only given the right tools and opportunities.  Give everyone an equal amount of food, money, clothes, housing, work, and paradise will descend upon us.  Of course, the masses should be defenseless because the State will protect them.  Being different or more gifted than others is also uncool, because you just make the others look bad (remember – universal equality).  If you had to live through that atrocious Communist experiment, would you rather have a meager, but stable and predictable existence where most of your basic needs are met, or would you chose total freedom and personal responsibility for your own success (and failures).  It is incredible, but usability (so to say) wins here too.  People want it easy when it comes to government – basic needs trump individual freedoms.  In a recent poll, 60% of Russians still regret the break up of the Soviet Union.
  • Online Privacy. There’s been a major paradigm shift in how our society views personal issues.  We now easily discuss very private events and feelings with hundreds of our Twitter and Facebook followers.  Our trust in online privacy created a new (false) sense of security in believing that we still control the information. How much inconvenience would you bear (in terms of access security) to make sure that your social networking accounts are never compromised and misused?  My LinkedIn account is connected to many people I respect and appreciate.  The last thing I want is for someone to hijack my credentials and discredit my reputation or my network.

–       Zack Whittaker asks “How would you fix it?” (the password clutter vs. security issue).

I’d like to suggest that G.K. Chesterton’s response to the famous question “What is wrong with the world?” applies in this case.  Chesterton’s response was written in a form of a letter to “The Times” which initially posted the question:

Dear Sirs,
I am.
Sincerely yours,
G. K. Chesterton

What is wrong with the username and password?  I am.  The user is.  As long as the user has the ability to share authentication credentials, he is vulnerable to social engineering (phishing) attacks.  We assume (much like the Communists did) that the user is generally smart and responsible . . . we just need to build higher walls for the enterprise technology or web services (firewalls, etc.).  I agree that the usability has to remain high, and mutual authentication, specifically graphic passwords, is one of the few security approaches that increases access security, while targeting the weakest link – password shareability.  When using graphic passwords, the user has no ability to easily share his password by typing it, disclosing it on fake websites, sending it by email or even writing it down on a piece of paper.

Our use of technology in everyday life has changed how we live now, 45 years after the first mainframe computers were built.  Yet, we continue to use a 1960s access control mechanism.   Passwords have evolved into the 21st century and it’s time to benefit from it.