Users Deserve Better, Websites Need to Deliver

By Charles Durkin, Chief Executive Officer, Privakey

Creating a new online account is a dreaded task for most internet users. Complexity and
security concerns increase user anxiety with each new username and password combination.

Despite tremendous advances in technology, the problem with online identity and authentication has been getting worse.

The internet’s original design did not include an identity layer, forcing all online businesses to build their own homebrew service for identifying and authenticating users. The resulting
the proliferation of inconsistent and insecure usernames, passwords and “security” questions is now a bane for users worldwide.

Despite the complexity of creating and managing dozens of passwords, they remain highly
insecure. Michael Chertoff, former Secretary of the Department of Homeland Security, stated recently that “passwords are the weakest link in cybersecurity today”. Most experts agree with his assessment.

The password’s primary security flaw lies at the core of the “shared secret” approach to
authentication. As soon as a user successfully selects a password, regardless of its length and strength, it is stored along with other user account information. The databases of online service providers such as Yahoo, LinkedIn, and Twitter contain hundreds of millions of user login credentials.

Databases of stored passwords are a highly desirable target for hackers because most users reuse the same password at many sites, including online banks and other financial institutions.

Cybersecurity experts frequently offer guidance on cyber hygiene. Their recommendations
include the use of long, complicated passwords and frequent changes to them. Really?
Which users are actually going to follow such advice? The answer is very few — and those that do get help from a robotic password manager.

Password managers add another layer of complexity to the password problem and they do not eliminate the stored passwords from website databases.

Passwords have been around since the dawn of the computer age. It seems quaint now, but not long ago (last year?) many people were still using the name of their child or their pet as their password for most sites.

Most online service providers now have policies that require stronger passwords. They also
caution users against password reuse.

While well-intentioned, these policies are making users’ lives more difficult and adding only
limited improvements in cybersecurity. Poor user experiences are bad for any business and
particularly harmful to online businesses.

Ideally, the login experience would be the same for every website, application or service
accessed by the user. The experience would also be highly secure, and it would eliminate
stored passwords. Standards organizations have developed digital identity specifications that meet these criteria, and real solutions are available.

Cloud-based identity providers enable online service providers the opportunity to improve their users’ experience while eliminating the vulnerability of stored passwords. Yes, this means no more passwords! Eventually.

Over the next several years, professional identity service providers will begin to supplant the millions of homegrown identity and authentication solutions that now dominate the web. These professional service providers will fill in the missing identity layer where it is needed.

The result will be the end of passwords and the beginning of consistent, convenient and secure login experiences across the internet.

About The Author
Charles Durkin is the Co-Founder, President, and Chief Executive Officer of Privakey, Inc. He co-founded the company in 2015 and is responsible for Privakey’s strategy, communications, and execution.
Charlie has served in the same capacity for 8 years at Privakey’s parent company, Probaris Technologies. Prior to joining Probaris, Charlie led a large Ecommerce and Business Intelligence consulting business at General Electric. Charlie can be reached at cdurkin@privakey.com, @CharlesJDurkin, or at the Privakey
website: www.privakey.com.