Password, hacks, ever increasing security requirements

30 January 2015

 View Richard Mardling’s profile on LinkedIn

Last week I was the recipient of a bright shiny new smartphone. Time to play and get used to new features! So I unpack it, insert the SIM card, go through the set up process and hey presto away we go. Well nearly. There are a number of services that I subscribe to that over time have steadily driven up their requirements for a complex password. All well and good until during one single day you’re asked to remember all of them and type them in on a very small keyboard. You can guess the results, my Inbox was full of password reset emails initiated by yours truly, and in some instances I had to lower the strength of my password just to be able to successfully type it in!

So what’s the answer? Many of the social media sites that I use offer the capability to re-use my social identity. In some instances I do this when it’s related e.g. a service that analyses your Twitter feed and reach, but not in the main as I want to keep my work and social world separate. Also, in light of the recent breach of digital assets stored on iCloud, how well is the identity service within the different social media services protected? I’m in danger here of arguing against my own industry but I believe that someone needs to step forward and offer the issuance of trusted identities that can be re-used across a variety of platforms. Recently the Information Security Forum published a paper on the future of authentication. I know that the UK Government through its Verify programme will be providing the identity infrastructure to access government services, but can your government identity be used on commercial sites? Interestingly the FT recently reported that Lloyds Banking Group has been developing an identity assurance service, all I can say is 'at last' and ‘well done’! The banks, according to my daily commute colleagues, may not be the most popular set of institutions in the minds of the public, but we do entrust them with many of our financial assets. They know who I am through initial verification and many years of transaction history, plus they know where I live.

Is an asserted identity, provided by someone that we entrust many of our financial interests with, the answer? It's one of the solutions that I would urge anyone considering the provision of online services that require knowing who you are. It saves the development of all of the identity and authentication services, lowers the running costs and improves the user experience, and best of all, done right, it increases security for all parties.  In any transaction we need a willing buyer and a willing seller, or in this instance an enlightened service provider who will accept third party asserted identities. So hats off to Lloyds, let’s hope that other banks are closely following in their wake, and then I can stop trying to remember ever complex passwords and my shiny new phone can keep me securely connected to our ever developing digital world.

Twitter
LinkedIn
Facebook
Google+

Comments

In the Nordic countries, we have sort of what you are asking for. In Norway and Sweden, you can log on to most public web sites and a number of private web sites with your 2-factor bank credentials.

In Estonia they have a national ID card with a chip carrying a certificate and the associated private key. And in Denmark, where I live, we have a system called 'NemID' ('Easy ID' in English), which is run by all the banks in common and which provides log in and signing services to banks (you can even log in to accounts in different banks using the same ID), almost all public web sites and a large number of private web sites.

Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...

Post a comment

Comments are moderated and will not appear until the author has approved them.