How your authentication scheme could hurt your business

About 50 percent of consumers say they frequently find themselves unable to perform transactions because of authentication failure-mostly due to forgotten usernames, passwords or responses to knowledge-based questions-and many do not trust systems or passwords that rely only on passwords.

"It comes as no surprise that we continue to see an increase in dissatisfaction from consumers when it comes to traditional authentication schemes involving usernames and passwords," says Dr. Larry Ponemon, chairman and founder of the Ponemon Institute.

"The good news is that there is a new sense of willingness to try emerging technologies and more complex identity verification systems to fix this broken system," Ponemon says.

"In general, 46 percent of consumers say they do not trust systems or websites that rely solely on usernames or passwords," Ponemon adds. "They seem to think it's too easy to break."

He notes, however, that use is not dependent solely on trust. Consumers may not trust a service that relies solely on usernames and passwords, but a majority of consumers will still use it.

Still, he says, "Having strong authentication that works and is convenient is not just good for security purposes, it may be good for business."

Ponemon Institution surveyed 1,924 consumers between the ages of 18 and 65+ in Germany, the U.K. and the U.S. for the study, which was sponsored by startup Nok Nok Labs, one of the founding members of the Fast Identity Online (FIDO) Alliance. The FIDO Alliance is seeking to replace password technology with a standards-based open protocol that embraces both existing and new authentication methods and hardware.

"What users are saying is, 'Hey, we get enough about security now that we think there should be more than just a username and password around some of the things we do,'" says Phillip Dunkelberger, CEO of Nok Nok Labs and formerly the founder and CEO of PGP Corp. "The FIDO Alliance has doubled in size since we announced it in February. I think that speaks to this idea."

Authentication is the process of validating whether a user is really who he or she claims to be, and the Ponemon study found that many services currently make life difficult and inconvenient for consumers to shop or bank online, request services or just generally use anything that requires restricted access.

Consumers Struggle with Password Deluge

"It's not that web services are deliberately trying to irritate their users. Everyone wants the same thing: to safeguard personal information and communications, and to prevent cyber criminals from breaching online systems," Ponemon says.

"But it's a fine line because providing strong authentication has traditionally brought great cost and complexity for web services and significant hassle for consumers who are forced to navigate arcane multi-step processes. Many web services take the low road and leave consumers to deal with the consequences of password deluge. The result is a higher risk for insecurity of personal information and lost revenue when consumers abandon online activity due to frustration," Ponemon says.

And "deluge" is the right word. According to a study by Janrain and Harris Interactive, about 58 percent of online adults have five or more unique passwords for logon and more than 30 percent have 10 or more passwords. And a study of password habits conducted by Microsoft found that the average user has 25 different web accounts but manages them with just 6.5 passwords.

"This causes a saturation point, especially when websites require regular changes to passwords," Ponemon says. "It also triggers fallout such as reluctance to sign up for new services requiring yet another username/password, or abandoning a web transaction after repeated failed logon attempts."

This has led many users to use either an easily remembered, weak password or to reuse the same password for multiple accounts, Ponemon says. This is backed up by a technical analysis of password data breaches conducted by researchers in the security group of the University of Cambridge Computer Laboratory. The researchers studied data breaches of both Gawker and Rootkit.com and determined that among the users that were members of both sites, 76 percent used the same password on both.

"This study shows the challenge presented by our continued dependence on the troubled password," says Dunkelberger. "Not only are breaches increasing because of password re-use across different web services, but this failure and insecurity is reducing consumer confidence when doing business online. It's time we evolved our thinking about how businesses authenticate their customers."

Consumers Want Strong Authentication, Even Biometrics

While consumers are feeling password fatigue, they also appear to be savvy enough to understand that strong authentication is important. Ponemon found strong acceptance for the idea of using a multi-purpose strong identity credential: 51 percent of respondents in the U.S., 45 percent of respondents in the U.K. and 62 percent of respondents in Germany were in favor.

Additionally, these consumers identified identification and authentication when traveling, accessing the Internet and using social networks as the most popular reasons for having a single ID.

Consumers are increasingly open to the idea of using biometrics for authentication.

"Most respondents are comfortable with using biometrics, and believe it is acceptable for a trusted organization such as their bank, credit card companies, health care provider, telecom, email provider or governmental organization to use factors such as voice or fingerprints to verify their identity," Ponemon said.

Only 31 percent of U.S. respondents, 30 percent of U.K. respondents and 26 percent of German respondents indicated they were not comfortable with biometrics. In fact, German respondents on the whole favor biometics for managing multi-purpose identity credentials. Respondents from the U.S. would prefer to use their mobile devices for identification purposes and respondents from the U.K. favor the use of RFID chips.

Consumers also indicated that when it comes to biometrics, they are most comfortable with voice recognition and facial scans. U.S. and U.K. respondents were least comfortable with iris scans and German respondents were least comfortable with fingerprints.

Thor Olavsrud covers IT Security, Big Data, Open Source, Microsoft Tools and Servers for CIO.com. Follow Thor on Twitter @ThorOlavsrud. Follow everything from CIO.com on Twitter @CIOonline, Facebook, Google + and LinkedIn. Email Thor at tolavsrud@cio.com

Read more about internet in CIO's Internet Drilldown.