'

In fingerprints and banks we trust: IBM reports on the future of authentication

An IBM study of The Future of Identity has found that whether people use passwords or biometrics is influenced by how old they are, where they live, and the value of the service involved. Choices are not purely technical....

IBM Security Infographic Header

Biometrics are the future. Image source: IBM's Future of Identity infographic

Online security continues to be a trade-off between security and convenience, but the compromises are different depending on how old you are, where you live, and the value of the data, according to a global survey of 3,977 adults by IBM Security. The real problem is how to improve things, because "the traditional scheme of accessing data and services by username and password has repeatedly shown to be inadequate," says IBM's report.

"Users will ultimately choose whether or not to implement new security features being made available. Therefore, it is critical to better understand their concerns and preferences around emergent types of authentication and to evaluate how these views could impact the future of identity and access."

Bar chart of preference for security, privacy or convenience

The good news is that - as you would expect - security is the top priority when people use financial services. However, after banking, users are increasingly willing to trade security for privacy and/or convenience, and social networking ranks at the bottom.

"This is particularly alarming in light of the fact that nowadays, many consumers opt to use their Facebook, Twitter and Google accounts to authenticate and access other applications and services," says the report. If a social network account is breached, this could lead to a domino effect with shopping, dating and other services being compromised.

Users believe they are most secure when using their fingerprints (44 percent), followed by iris scans (30 percent). Users also think that alphanumeric passwords (27 percent) are more secure than face recognition (12 percent), handprints (6 percent), voice recognition (6 percent) and heartbeat recognition (4 percent). This raises an interesting question for service providers: do you want more security or do you just want users to think they are more secure? Using more than one technique might be the best answer.

However, users are wary of trusting organizations with their biometric data which represents their identity, not a password that can be changed. Only 48 percent would trust a major financial institution with biometric data. That falls to 23 percent for a major shopping site and only 15 percent for a social media network.

Bar chart of convenience vs security by age

Younger people are more likely to trade security for convenience. Almost half of users aged 18-24 would use a less secure method to save a few seconds, compared with only 16 percent of the over 55s. This is not necessarily as bad as it sounds. Younger people are more likely to use fingerprint recognition - which is quick - and password managers.

Younger people are also more likely to abandon a service if it is breached.

Bar chart of preferences in APAC, EU and USA

In global terms, users in the Asia Pacific region (Australia, India and Singapore) are more receptive to using new technologies than Europeans, while Americans lag behind.

Bar chart of comfort with biometric identification

APAC users are more familiar with biometrics and most likely to use them. Americans, by contrast, are below the world average, and 23 percent say they are not interested in using biometrics now or in the future. This seems odd given the popularity of Apple iPhones in the USA.

So what about the future?

The report suggests that organizations have most to lose from bad password habits, so they should make employees "adopt authentication mechanisms like hardware tokens, one-time passwords or biometrics when signing into workplace services". It's trickier when dealing with consumers because "forcing a user's hand (or fingerprint) when it comes to signing in can result in lost revenue."

However, offering a choice of authentication systems would allow users to choose the one that suits them best - which may vary according to their age, location, and the type of service.

The report also suggests that risk-based authentication is another option, "based on contextual data and behavioral cues". In other words - my example - ask for extra authentication if someone moves from a low-risk task (reading a bank statement) to a high-risk task (transferring $100,000 to the mafia).

The IBM Security: Future of Identity Study was written by Limor Kessem, an IBM Executive Security Advisor. It is based on a survey of 1,976 respondents in the USA, 1,004 in the EU (UK, France, Italy, Germany, Spain) and 997 in APAC (Australia, India, Singapore).

The 27-page report is available free at http://ibm.biz/FutureOfIdentity (PDF).