With the growth of the Internet as a vehicle for communication, it is inevitable that users will want to authenticate themselves. This has been driven even further by the adoption of social media services. The issue then comes when we create an account for these services. Kemp outlines that for the site in question, “minimal friction” when logging in is desired, as it results in more time on spent on the site, driving high revenues and so on and so forth. (Kemp, 2011) Paradoxically, this then creates an issue for the company, should the authentication friction (a phrase I will use to refer to the ease and/or speed of logging in) be so minimal, that it is then not secure. This harms the image of the service provided, since users feel their personal information may be at risk. (Gish and Demand Media, 2011). It is therefore imperative that the company or service required an account online finds a balance between reducing the authentication friction and maintaining security. Of course, the issue cannot always be attributed to the failings of the company to offer an authentication system. Almost all companies now offer advice and help when creating a password, in addition to often having dedicated security advice websites. (Microsoft, no date) This would appear to suggest that a breech of security for a web account might often be as a result of the user rather than the company itself. Taking just one data set to analyse this (the database of passwords from the recent Ashley Madison leak), displays the top five passwords as follows:
This shows an apparent naivety, or even laziness, on behalf of the users, as they disregard advice offered to them by companies. This is where the Web Science dimension to this problem can be seen. Regardless of advice offered, and of password management systems such as 1Password (Agilebits, 2015), the social context and attitude of the users continues to restrict security when authenticating online.
Changing the password
It is therefore apparent that a new method of authentication is needed online, and its achievements must be threefold. Firstly, at a basic level, it must be secure, and should only allow the authenticated user access. Secondly, it must minimize authentication friction. A system that requires a number of steps, or visiting numerous sites (manually or via redirects) would not be effective, and would harm a site’s usability and simplicity. Indeed, it is arguable that the authentication friction would have to be less than the creation and storage of complex passwords, as this system is currently available but not utilised. The third and final achievement of a new authentication system would be to break down the social attitudes to passwords and online security. It must strike a balance between convincing users additional security is needed (and thus encouraging them to adopt the new authentication system) and convincing them that the system is easier to use than the current system of passwords.
Clef uses my iPhone’s camera (you need to have the partner app installed) to synchronise “waves” that appear on the computers screen instead of a username and password field. This whole process takes only a couple of seconds.
While I would not want to direct you to a specific password alternative in this article, I would like to talk about Clef. Clef is a system I use to log in to the admin area of this site, after a very simple installation of a plugin. I was offered the opportunity to display a button at the bottom of my site to show that I was using Clef, and you can see that button there today. Clef uses my iPhone’s camera (you need to have the partner app installed) to synchronise “waves” that appear on the computers screen instead of a username and password field. This whole process takes only a couple of seconds. Clef authentication far more secure than passwords, as I am required to authenticate on the Clef app with TouchID, before I can synchronise the waves, meaning it acts as an incredibly user-friendly method of two-factor communication. The final benefit I will talk about, is the ability to seamlessly log out from all of the sites that use Clef, straight from your mobile phone.
That is all I will say on Clef for now, but if you would like to give it a try, visit their site to install a Chrome Extension, or log in or register on this site. Yep, you can try the process right here on this site. Navigate to the “Register” option on the menu on the home page. Then chose the “Register with your phone” option from the blue Clef button below the usual registration boxes, and the Clef system will guide you through. While Clef is my current authentication system of choice, some of you might have others, so drop me a line in the comments. Let me know if any problems are encountered on my site with Clef, as I am still going through the testing phase of this log on system – thanks!