How your authentication scheme could hurt your business

Consumers often fail to perform transactions online due to authentication failure

About 50 percent of consumers say they frequently find themselves unable to perform transactions because of authentication failure-mostly due to forgotten usernames, passwords or responses to knowledge-based questions-and many do not trust systems or passwords that rely only on passwords.

"It comes as no surprise that we continue to see an increase in dissatisfaction from consumers when it comes to traditional authentication schemes involving usernames and passwords," says Dr. Larry Ponemon, chairman and founder of the Ponemon Institute.

"The good news is that there is a new sense of willingness to try emerging technologies and more complex identity verification systems to fix this broken system," Ponemon says.

"In general, 46 percent of consumers say they do not trust systems or websites that rely solely on usernames or passwords," Ponemon adds. "They seem to think it's too easy to break."

He notes, however, that use is not dependent solely on trust. Consumers may not trust a service that relies solely on usernames and passwords, but a majority of consumers will still use it.

Still, he says, "Having strong authentication that works and is convenient is not just good for security purposes, it may be good for business."

Ponemon Institution surveyed 1,924 consumers between the ages of 18 and 65+ in Germany, the U.K. and the U.S. for the study, which was sponsored by startup Nok Nok Labs, one of the founding members of the Fast Identity Online (FIDO) Alliance. The FIDO Alliance is seeking to replace password technology with a standards-based open protocol that embraces both existing and new authentication methods and hardware.

"What users are saying is, 'Hey, we get enough about security now that we think there should be more than just a username and password around some of the things we do,'" says Phillip Dunkelberger, CEO of Nok Nok Labs and formerly the founder and CEO of PGP Corp. "The FIDO Alliance has doubled in size since we announced it in February. I think that speaks to this idea."

Authentication is the process of validating whether a user is really who he or she claims to be, and the Ponemon study found that many services currently make life difficult and inconvenient for consumers to shop or bank online, request services or just generally use anything that requires restricted access.

Consumers Struggle with Password Deluge

"It's not that web services are deliberately trying to irritate their users. Everyone wants the same thing: to safeguard personal information and communications, and to prevent cyber criminals from breaching online systems," Ponemon says.

"But it's a fine line because providing strong authentication has traditionally brought great cost and complexity for web services and significant hassle for consumers who are forced to navigate arcane multi-step processes. Many web services take the low road and leave consumers to deal with the consequences of password deluge. The result is a higher risk for insecurity of personal information and lost revenue when consumers abandon online activity due to frustration," Ponemon says.

And "deluge" is the right word. According to a study by Janrain and Harris Interactive, about 58 percent of online adults have five or more unique passwords for logon and more than 30 percent have 10 or more passwords. And a study of password habits conducted by Microsoft found that the average user has 25 different web accounts but manages them with just 6.5 passwords.

"This causes a saturation point, especially when websites require regular changes to passwords," Ponemon says. "It also triggers fallout such as reluctance to sign up for new services requiring yet another username/password, or abandoning a web transaction after repeated failed logon attempts."

This has led many users to use either an easily remembered, weak password or to reuse the same password for multiple accounts, Ponemon says. This is backed up by a technical analysis of password data breaches conducted by researchers in the security group of the University of Cambridge Computer Laboratory. The researchers studied data breaches of both Gawker and and determined that among the users that were members of both sites, 76 percent used the same password on both.

"This study shows the challenge presented by our continued dependence on the troubled password," says Dunkelberger. "Not only are breaches increasing because of password re-use across different web services, but this failure and insecurity is reducing consumer confidence when doing business online. It's time we evolved our thinking about how businesses authenticate their customers."

Consumers Want Strong Authentication, Even Biometrics

While consumers are feeling password fatigue, they also appear to be savvy enough to understand that strong authentication is important. Ponemon found strong acceptance for the idea of using a multi-purpose strong identity credential: 51 percent of respondents in the U.S., 45 percent of respondents in the U.K. and 62 percent of respondents in Germany were in favor.

Additionally, these consumers identified identification and authentication when traveling, accessing the Internet and using social networks as the most popular reasons for having a single ID.

Consumers are increasingly open to the idea of using biometrics for authentication.

"Most respondents are comfortable with using biometrics, and believe it is acceptable for a trusted organization such as their bank, credit card companies, health care provider, telecom, email provider or governmental organization to use factors such as voice or fingerprints to verify their identity," Ponemon said.

Only 31 percent of U.S. respondents, 30 percent of U.K. respondents and 26 percent of German respondents indicated they were not comfortable with biometrics. In fact, German respondents on the whole favor biometics for managing multi-purpose identity credentials. Respondents from the U.S. would prefer to use their mobile devices for identification purposes and respondents from the U.K. favor the use of RFID chips.

Consumers also indicated that when it comes to biometrics, they are most comfortable with voice recognition and facial scans. U.S. and U.K. respondents were least comfortable with iris scans and German respondents were least comfortable with fingerprints.

Thor Olavsrud covers IT Security, Big Data, Open Source, Microsoft Tools and Servers for Follow Thor on Twitter @ThorOlavsrud. Follow everything from on Twitter @CIOonline, Facebook, Google + and LinkedIn. Email Thor at

Read more about internet in CIO's Internet Drilldown.

Join the PC World newsletter!

Error: Please check your email address.

Tags online securityRFIDTechnology Topics | Internetfingerprintsfacial recognitionauthenticationTechnology Topicsvoice recognitiononline transactionsPonemon InstitutionsecuritypasswordsAccess control and authenticationbiometricsPonemon Institute

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Thor Olavsrud

Show Comments


Microsoft L5V-00027 Sculpt Ergonomic Keyboard Desktop

Learn more >

Lexar® JumpDrive® S57 USB 3.0 flash drive

Learn more >


Lexar® JumpDrive® S45 USB 3.0 flash drive 

Learn more >


Audio-Technica ATH-ANC70 Noise Cancelling Headphones

Learn more >

Lexar® JumpDrive® C20c USB Type-C flash drive 

Learn more >

Lexar® Professional 1800x microSDHC™/microSDXC™ UHS-II cards 

Learn more >

HD Pan/Tilt Wi-Fi Camera with Night Vision NC450

Learn more >


Back To Business Guide

Click for more ›

Most Popular Reviews

Latest News Articles


PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?