Do users like passwords? Considering all the trouble with cookies, social login, single-sign-on one can get a strong feeling that this question is very easy to answer, and the answer is NO. This has been discussed for quite a long time, we know that there are a lot of bad passwords in use, but still we keep asking our users to login with username and password very often. So to answer the big question lets try somewhere else: Knowing that our users hate them. Why do we, the service providers of this world, need passwords?
Again this answer appears to be obvious: we need them for security. But if we focus only on our clients, not on the technical aspects, we might find out that what they protect isn’t really our service. It is data that our users trusted us with. To protect this data, we take on our shoulders the cost of maintaining in our services all the processes related to passwords like user enrolment, forgotten/lost credentials, all this user experience. Passwords are just a low-cost and scalable way to do this.
Cost vs. Experience
Sticking to customer experience – what is presented to me, as a user after typing in my username and password seems private, it belongs to me or is bespoken for my convenience. As always there is some risk someone might find a way to put his hands on my property. We as service providers shouldn’t fall for this, though. The refinement of applied security control must address the associated risk. Extremely strong passwords, multi-factor, risk-based authentication just don’t apply to most of everyday businesses so are not worthwhile.
Users want to feel secure with their data and we want this data to make our service better, present relevant content and allow making faster purchases. We need a golden rule here, a reasonable balance between usability, cost and security. In my opinion social login is at least something in the right direction. It takes the burden of filling forms and maintaining many logins and passwords off our users and all the mention processes from our scope. Social login provides us with information that a user is more likely to be up to date, grants us a proven email address and a considerate level of security with all the sophisticated control mechanisms implemented already by most popular providers. If trusting social login provider is hard for you remember that even banks are nowadays offering their services in this field. And in my opinion it’s a very reasonable thing for them to do – they hold very precise data on their customers, they had to implement very secure client facing portals and want to monetize this investments.
The Grass Isn’t Always Greener On The Otherside
The only thing I find problematic about social login is that it does not sound super easy. You need to have your service designed to support federated claims. If this doesn’t sound familiar to you (contrary to username and password) I am pretty sure your developers and help-desk staff will love it. At least much more then notoriously streamlining all the mentioned processes related to passwords.
Coming back to the main question. I think that first of all users like to feel safe. Passwords are old but still cost effective way of assuring this. Users don’t necessary like passwords, rather are used to them. Most of all we want the users to like our services and I am sure they will appreciate when we keep on making them easier to use.
Never miss an update by following us and subscribing to our monthly newsletter!
Latest posts by Marcin Lewak (see all)
- From Library to Vulnerability: Dependency Security Vulnerabilities Exposure - March 22, 2017
- The importance of Security Awareness - January 30, 2017
- Extending Support Capabilities with NetIQ IDM Workflows Dashboard - December 21, 2016