Curses, just-good-enough authentication, again

Curses, just-good-enough authentication, again

Summary: Use of social network identities is expected to sky-rocket in the next two years, but it's aimed at reducing friction between merchants and your money, not because it's a better credential.

SHARE:

So Gartner thinks that half of new retail customer identities will be based on social network credentials within the next two years.

Damn, mediocrity again.

And they think some online merchants hell-bent on picking over crowds of buyers with full wallets will ignore the inherent fraud risks in these weak and self-asserted identity credentials.

When will end-users stop being trained to plow ahead regardless of security and privacy implications? That whatever you have to surrender to the gatekeeper is OK as long as you can get into the virtual backroom for discounted T-shirts, cheap electronics and those Peruvian salt/pepper shakers with the thingamajig that aren't carried at the brick and mortar locations.

Gartner says at the start of 2016, 50% of new retail customer identities will be based on social network credentials. Today, the number is 5%.

We are talking entirely new generations of users who think their credentials are merely a roadblock between them and gratification. Something that can't be traded on fast enough - or be hard to remember.

Here's the telling part of Gartner's prediction, the part that shows we are not heading up and over the authentication hurdle and leaving it behind, but rather going around it  - again.

"Using ‘login with Facebook’ — or other popular social networks — reduces friction and therefore improves users' experience of customer registration and subsequent login,” said Ant Allan, research vice president at Gartner in a statement.

Ah, friction. Good some places, but certainly not when end-users are navigating the retail Web.

Isn't friction avoidance among end-users what gave rise to "password" and "12345" as the most prevalent (and weakest) passwords used on the Internet for the past decade or more?

But it's not the end-users that really are to blame. It's their coaches; the merchants.

Gartner correctly states that "lack of identity proofing and weak authentication for social network identities can expose merchants to more fraud."

The analyst firm, however, predicts some merchants will ignore this negative in the face of more customers and more sales, and instead fall back on the $50-solution fraud systems run by the credit card companies.

If you're a merchant or in the risk business and do the math, perhaps this is a good business decision. But from an authentication perspective this attitude extends the belief that identity, and personal data, are of little value to their owners. It's high time prevailing wisdom questions that notion.

Social log-ins are not bad across the board, it's just where they are used. They can be fine for an initial low-risk authentication - access to a friend's photo catalog.

When combined with a "step-up authentication" to access more sensitive data - one where the user's real-world identity has been vetted in some way - social network log-ins can indeed reduce some friction.

Gartner does make that point in its predictions.

There is no doubt that the popularity of social networks means more and more people have some sort of online identity, a development that is likely to show benefits over time as an identity layer is built on top of the Internet. A layer comprised of technologies, standards and identity providers that can supply levels of assurance as to the identity of an end-user.

But until the industry does the hard work of building out such a layer, the best thing we have going is to educate end-users to its importance and then tap the wisdom of that crowd to kick some butts to get it built faster.

Topics: Security, Consumerization

About

John Fontana is a journalist focusing in identity, privacy and security issues. Currently, he is the Identity Evangelist for cloud identity security vendor Ping Identity, where he blogs about relevant issues related to digital identity.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

3 comments
Log in or register to join the discussion
  • thoughts

    "When will end-users stop being trained to plow ahead regardless of security and privacy implications?"

    As soon as ZDNet hires a web designer that really fixes all of the issues with the Talkbacks and photo galleries.

    Basically, never.

    Where's the edit button??

    Ars Technica has made considerable progress in their comment system - it's light years beyond anything ZDNet has ever done. Not to mention all of the social networks like Facebook and Google+.

    ZDNet's comment system is still in the dark ages.

    And oh, yeah: Please hire somebody who works more than once a year, thanks. It's not good that once a talkback system is up, it's never touched again for several years.

    "Isn't friction avoidance among end-users what gave rise to 'password' and '12345' as the most prevalent (and weakest) passwords used on the Internet for the past decade or more?"

    Yup.

    "But it's not the end-users that really are to blame. It's their coaches; the merchants."

    And they are the poorest coaches, ever. They impose limits on the characters that can be uses, they impose password maximum lengths, etc. Basically, they're teaching users really bad password creation habits.

    It's the blind leading the blind. The merchants usually know very little about security themselves, and obviously don't hire experts to guide them on their password creation policies. So they create lousy systems that teach users lousy habits.

    And don't get me started with password recovery systems, which are equally in shambles. "Security questions" are a joke, as they're often easier than passwords to bypass, and often ask archaic questions of people that they may not remember.
    CobraA1
    • And just to drive the point home . . .

      And just to drive the point home . . . I'm now appearing as anonymous in the Talkbacks, heh. Been a while since I've seen this particular bug, but apparently it's still around, sigh.
      CobraA1
  • I agree...

    For me there is no doubt that on all websites that pass important private personal or business data through, we need increased security measures, not 'making it easier for people to submit payments, etc.' methods like using "Facebook credentials", lots of laughs.

    Have to also agree with "anonymous", being able to edit comments we post here at ZDNet is really a necessary and expected thing these days. :-)
    sg1efc