Password overload, fingerprints and the new iPhone 5s
“Your password must have at least 16 characters, including at least one lowercase and one capital letter, one number, one special character and an underscore. But no dashes. And you have to change it every three months. Oh, and it can’t be the same as your name, birthday, social security number, or last seventeen passwords.”
Does that sound familiar? It’s what most people are dealing with in an increasingly password-centric world. The average person has 25 online accounts requiring passwords, and those of us who work in digital can multiply that manifold. The security requirements for these passwords are increasingly complex.
This phenomenon is colloquially known as password overload. Loosely defined, it’s the breaking point at which people say “I can’t take it anymore!” and revert to using their dog’s name or their kids’ birthdays, helpfully written on a scrap of paper beside their computer, for every single web password. Ironically, the more attempts are made at improving security by, say, requiring longer and more complex passwords, the less secure these tend to be. Apple claims that, due to the hassle factor, half of its users don’t even bother to set a password for their iPhone. Considering people store everything from personal contact lists to banking information to private photos on their smartphones, this is somewhat less than ideal. Especially when you add the fact that most people are moving towards using their phones as the second factor in two-factor authentication.
Clearly, this can’t continue. Something has to give.
Will biometrics replace passwords?
For several years now, that ‘something’ has been moving in the direction of biometrics. Instead of remembering dozens of complicated passwords, the theory goes, why not use unique identifiers that we carry with us at all times? Fingerprinting and retinal scanning are commonplace now at airports or border crossings, and private companies have long been moving in the direction of replacing passwords with biometric data.
This idea is not new. As far back as 2003, Sony marketed a thumb drive with a built-in fingerprint scanner. Microsoft has been selling fingerprint-enabled security keyboards for years. The technology is maturing all the time, and is ready to enter the mainstream in a big way.
Fingerprint-protect your phone?
Enter Apple, with its announcement this week that the soon-to-be-released iPhone 5S will include “Touch ID”, a fingerprint scanner that will allow you to unlock your phone with a simple touch of the finger. What could be easier or more convenient, particularly on a touch device where your fingers are making contact with the screen all the time? No more remembering long, complex password strings. No more having to reset your password when you forget it, or re-enter it every time you want to buy something from the iTunes store. Just touch and go.
Unfortunately, Apple’s ideas may be sound, but its timing could have been better. In the wake of WikiLeaks, Edward Snowden, and the confirmation that our personal data is far from private, the idea of storing fingerprint data in a device is giving many people an uneasy feeling. The announcement of the iPhone 5S this week led to quick reactions by the social media sphere was greeted with a certain amount of skepticism, even among people who normally do not subscribe to fringe conspiracy theories. Memes have been circulating wildly, decrying the additional infringement into personal privacy, and informing us that we’re one step closer to a science fiction-like alternate reality.
Other than concerns about government agencies collecting consumer fingerprint databases, some very real questions abound: If a fingerprint is converted into yet another string of zeroes and ones, it too could theoretically be cracked in much the same way as your password. And, unlike a password, you can’t simply change your fingerprint in the case that someone manages to crack it.
Privacy versus convenience
In the end, Apple — and many other tech companies who are moving in the bio-metrics direction — are gambling that convenience will outweigh privacy concerns for the vast majority of consumers. If past evidence is any indicator, they’re probably right. We willingly provide personal information to all sorts of private companies and public agencies all the time in order to save time, money and hassle. Facebook knows who our friends are and what music we like; Google can scan our emails for keywords to target ads; anyone who’s travelled through an airport in the past few years has probably had a fingerprint scan anyway.
What will this mean for marketers? The usability implications are staggering: No more password entry screens or “forgot password” links. Fewer frustrated consumers failing to make it through to the next step of your purchase cycle. It will become more important than ever to unify login data and to allow people to log in via a universal ID. Google is likely to follow suit with its own fingerprinting technology, and we may see others like Facebook jump on board as well (perhaps via a shared login with Microsoft). Allowing people to log in with one of these ubiquitous IDs instead of creating their own account on your site will probably increase adoption and participation rates.
On the flip side, some things are about to become less tolerated. In a world where a touch of the finger gives consumers access to most things, they will have less patience than ever for those companies who insist on still asking for complicated passwords. In addition, the pressure is on marketers to post clear, easy to understand privacy policies that both reassure and inform consumers about how their personal data will be stored, used and protected.
As we enter the brave not-so-new world of biometric authentication, we can expect these to be hot topics of discussion among digital marketers for some time to come.