Interview: Why password issues are on the way out

Craig Vallis is an entrepreneur and IT Professional with many years of experience providing consulting to enterprises and government departments all over Africa, the Middle East and, more recently, Europe. He has been designing and developing browser-based enterprise applications since 1999. In 2012, while at an enterprise conference, he realised that there was a tremendous problem with consumer online identity and that something needed to be done about the issue. We spoke to Craig about his identity and access management solution, Solfyre, and how it can help take the stress and hassle out of logging into websites, regardless of the underlying technology or process.

1. What inspired you to tackle the login issue?

I was attending the Cloud Identity Summit in 2012, sitting in a Google presentation when I realised that we were in the process of completely handing over our identities to the large corporations, to aggregate and monetise how they saw fit. I realised that identity was too important to be a by-product of our search or social experience. We needed to provide an alternative to social logins. It was time for us to appoint an Independent Identity Provider to allow us to reclaim our identities. At the same time I realised that users don't care about standards and protocols, they just expect it to be safe and simple. Our challenge was set for us: we needed to create a single account that logged you into everywhere on the Internet and that was safe and simple enough for everyone to use.

2. How much of a problem is password security for consumers?

It is strangely a complex issue. Users want and expect websites to be secure but at the same time they want the login process to be quick and painless. Consumers have developed coping mechanisms to deal with the login/password fatigue. Currently users adopt one of three strategies for dealing with passwords: re-use of passwords, a system for remembering passwords, or an application or spreadsheet. These are becoming more of a problem as websites adopt additional security such as two-factor or multi-factor authentication. This means that people feel like they are coping but we don't think it has occurred to many that there might be an alternative or even that there could be an alternative. It is time for disruption in this regard.

3. What types of consumer data are vulnerable when data breaches happen?

The most critical data that is used to identify us is being stolen: dates of birth, residential addresses and even transaction history such as bank details and credit card numbers. All of these items are used to steal an identity or defraud. An example is that it seems many websites feel that they cannot function without knowing exactly when a user was born and force users to supply overly-personal information just for the sake of supplying goods.

4. Is the issue just about passwords and logins, or is there a bigger mission/quest?

Resolving the login issue is just the first step in giving users the tools they need to control their identities, privacy and personal data. Identity and privacy are interlinked and very poorly understood or appreciated. Being able to see and control our identities, and being able to trust the identities of others is absolutely critical. These are the two greatest obstacles that currently face us, as consumers, on the Internet. By giving people a means to assert and assure their identities, companies and users will be able to transact more easily and with greater safety and trust.

5. How effective is two-factor authentication?

Two-factor authentication (2FA) can be very effective in that it makes use of a second "previously known" factor to perform authentication. An example is sending a temporary code to the mobile number previously registered with that account. There are a number of ways in which this has become less effective: some malware specifically looks for codes sent via text message, or if the second factor is too tedious to operate then users do not adopt it. In developing SID we recognised this and resolved it by turning things around - by using the phone to scan the QR code we are effectively presenting the second factor first and then credentials are presented. Another problem that two-factor authentication faces is with the increase of mobile phones as the primary device you lose the second factor, so sending a text to that device is ineffective. We treat our application as the second factor and any website or application that requires authentication needs to go through SID.

6. In light of recent hacks (i.e. Wetherspoons, TalkTalk, British Gas, M&S), do you think companies will need to change the way their customer data is stored?

They definitely need to change their whole attitude and approach to customer data. Companies need to realise that customer data is both an asset and a liability and there are costs to holding and storing it correctly, and in the event of loss there is a huge cost to the organisation. I am hoping that we see companies moving away from "harvest as much as we can" to "ask only as much as we really need". We would also like companies to be more transparent in what they do with our data and make it easier for us to have our data removed.

7. By 2020, do you think that passwords will still be used as a primary login method?

No, we see that biometric (face, voice, and fingerprint) and behavioural (location, walking gait, and website or app usage) factors will replace password and two-factor authentication entirely. We will move away from "something you know and something you have" to "who you are (biometric) and what you do (behavioural)". Whilst currently no single biometric or behavioural measure can be definitive all of the time, we are working to use a combination of them at any given time to assure the identity of the user at all times. Making use of a combination of these factors also means that we can passively authenticate a user so that merely by utilising their devices they are asserting their identities so that when it comes to logging into a website or application they can seamlessly be given access.

Image Credit: Shutterstock/ Ditty_about_summer