Curses, just-good-enough authentication, again

Summary:Use of social network identities is expected to sky-rocket in the next two years, but it's aimed at reducing friction between merchants and your money, not because it's a better credential.

So Gartner thinks that half of new retail customer identities will be based on social network credentials within the next two years.

Damn, mediocrity again.

And they think some online merchants hell-bent on picking over crowds of buyers with full wallets will ignore the inherent fraud risks in these weak and self-asserted identity credentials.

When will end-users stop being trained to plow ahead regardless of security and privacy implications? That whatever you have to surrender to the gatekeeper is OK as long as you can get into the virtual backroom for discounted T-shirts, cheap electronics and those Peruvian salt/pepper shakers with the thingamajig that aren't carried at the brick and mortar locations.

Gartner says at the start of 2016, 50% of new retail customer identities will be based on social network credentials. Today, the number is 5%.

We are talking entirely new generations of users who think their credentials are merely a roadblock between them and gratification. Something that can't be traded on fast enough - or be hard to remember.

Here's the telling part of Gartner's prediction, the part that shows we are not heading up and over the authentication hurdle and leaving it behind, but rather going around it  - again.

"Using ‘login with Facebook’ — or other popular social networks — reduces friction and therefore improves users' experience of customer registration and subsequent login,” said Ant Allan, research vice president at Gartner in a statement.

Ah, friction. Good some places, but certainly not when end-users are navigating the retail Web.

Isn't friction avoidance among end-users what gave rise to "password" and "12345" as the most prevalent (and weakest) passwords used on the Internet for the past decade or more?

But it's not the end-users that really are to blame. It's their coaches; the merchants.

Gartner correctly states that "lack of identity proofing and weak authentication for social network identities can expose merchants to more fraud."

The analyst firm, however, predicts some merchants will ignore this negative in the face of more customers and more sales, and instead fall back on the $50-solution fraud systems run by the credit card companies.

If you're a merchant or in the risk business and do the math, perhaps this is a good business decision. But from an authentication perspective this attitude extends the belief that identity, and personal data, are of little value to their owners. It's high time prevailing wisdom questions that notion.

Social log-ins are not bad across the board, it's just where they are used. They can be fine for an initial low-risk authentication - access to a friend's photo catalog.

When combined with a "step-up authentication" to access more sensitive data - one where the user's real-world identity has been vetted in some way - social network log-ins can indeed reduce some friction.

Gartner does make that point in its predictions.

There is no doubt that the popularity of social networks means more and more people have some sort of online identity, a development that is likely to show benefits over time as an identity layer is built on top of the Internet. A layer comprised of technologies, standards and identity providers that can supply levels of assurance as to the identity of an end-user.

But until the industry does the hard work of building out such a layer, the best thing we have going is to educate end-users to its importance and then tap the wisdom of that crowd to kick some butts to get it built faster.

Topics: Security, Consumerization

About

John Fontana is a journalist focusing on access control, identity, privacy and security issues. Currently, he is the Identity Evangelist for strong authentication vendor Yubico, where he writes and edits a blog, as well as, directs several social media channels and represents Yubico at the FIDO Alliance. Prior to Yubico, John spent five y... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.