Authenticating users to websites, corporate accounts, and other online sites attempts to prove the identity of a user so that the user can access private data or services associated with the user. In the current authentication space, each website defines the manner in which the user authenticates. This usually includes a username and password. It is very difficult for users to manage passwords at all the online sites they visit, so users often use the same, easy to remember password at each website. Since every website has to manage the authentication for the users, stronger mechanisms of authentication are not widely in use. Websites are hesitant to adopt additional technologies that might lock them in with a large up-front cost and proprietary solutions. At the same time, online fraud is on the rise and business websites incur billions of dollars of lost revenue.
Online commerce and other Internet activities are dependent on a high level of confidence in the security of personal transactions, whether they involve money or simply information. Online fraud not only threatens these transactions, but also results in billions of dollars of lost revenue and wasted resources. The single greatest source of web fraud and financial risk comes from authentication—that is, the process by which a specific end user proves his or her identity for conducting an online transaction. Most authentication systems in place today are inherently vulnerable to failure; the typical practice of individual usernames and passwords entered into “secure” web sites may inspire general confidence that is not warranted in light of common causes of compromised security and likelihood of future problems.
Web “security” varies greatly from site to site. Not all website records are equally secure, and there have been many high-profile security-related data losses over the past several years that have included users' passwords, credit cards, and social security numbers. In addition, some web site owners do not have systems in place to monitor the integrity of users' data, let alone respond to compromised accounts. As such, they may not even know that their files have been hacked. Fraud forgiveness policies create false security. Credit card companies strive to inspire confidence in web commerce by protecting users from fraudulent transactions, but by transferring responsibility, they inadvertently encourage bad habits and hide the full extent of the threat.
Currently, almost all online services use passwords for authentication. The user signs in with a username, and then enters a password to prove the user's identity. This system is not as secure as many users and institutions believe. Whether a user transfers funds at a bank site, makes an online purchase from an e-commerce site, or uses online services intended to be private to the user, the parties involved conduct their business based more on trust than actual security. There are a number of reasons for this failure. Businesses and merchants are not authentication experts. Most companies know very little about authentication, because it is not their core business. Outsourcing online transactions and authentication to dedicated experts helps, but the current solutions offered still rely on processes that are inherently susceptible to failure and fraud.
Users pick easy-to-remember (and hack) passwords. Users are prone to selecting passwords that are easy to remember, which makes them similarly easy for hackers to exploit. A recent analysis of a large database showed that about 30% of users choose passwords of six or fewer characters. Almost 60% choose their passwords out of a limited set of alphanumeric characters, and nearly 50% of users used common names, slang words, dictionary words, or other trivial passwords comprised of consecutive digits or characters adjacent to one another on the QWERTY keyboard. In fact, the most common password among users is “123456.” Users also pick the same password for multiple sites. Managing multiple passwords for multiple online accounts is burdensome, so most users tend to have one or two passwords that they use across multiple web sites. Another recent large-scale study conducted by Microsoft of password habits found that the average user has 6.5 passwords across 25 various accounts, and types an average of eight passwords per day. This habit increases vulnerability even more, because the loss of password security at one site can compromise many other accounts.
Users are not often aware of hacked accounts. There currently is no universally accepted (and expected), systematic process to alert users that their account(s) have been compromised and to advise them of corrective measures. Changing passwords is too time-consuming. When users are aware of a compromised account, they rarely go to each site on which they use the same password and change it one by one. Given the large number of online accounts most people have, and the tendency to use the same or similar passwords on each site, it is not surprising that one compromised site leads to many others.
Strong authentication is cost-prohibitive. Web site owners assume responsibility for protecting their users' passwords and sensitive information, and are potentially liable for their loss. While stronger mechanisms of authentication are available, such as hardware and software token systems, these proprietary solutions involve a significant up-front cost plus ongoing resources to maintain them. Most businesses are hesitant to make such an investment.