You are standing in line waiting to check out.
You remember that you have the rewards application for this store loaded on your mobile device — you can finally use it to receive the discounted prices and gain some rewards.
You only need to find and load the application before reaching the cashier.
Plenty of time — there are five other customers in front of you.
You reach for your phone, the startup screen lights up and you unlock the device using your PIN number. Easy.
You find the application and start it up .. easy.. you are confident and with a smile.. you look at your device… the application is loading with the store logo and first thing is the login screen — — “please enter your user name and password” — well it has been a while — so you enter what you think is the user name and the corresponding password —
Ugh the red notification pops up— “wrong username or password” — the line keeps moving forward — now you are 3 people away from the cashier …
Ok —now you are trying to remember what was the username schema that the application requires and you enter a new username and password — the line keeps moving forward — one more time — the error notification shows up — “wrong username and password “- now with an additional option — “would you like to reset your password?” .. seems reasonable – you are still 2 people away from the cashier …plenty of time…
Before you decide to reset the password, you try it one more time.
Thinking that the user name is correct — you make a split moment decision and enter a possible third password.. the line moves and now you are 1 person to the cashier…you feel the sweat in the back of your neck….Ugh….. no such luck.
Now the only option that you have is to reset the password — the application provides a box for you to enter the user name (of course you hope it is the right one) and the only message that you receive is that “if this is a valid user name you will receive the link to reset the password on the email linked to your account”.
You are minutes into this experience and things are not going well.
Now you are looking at all of your email boxes and hope that the link shows up …you still have time….
Refresh .. Refresh.. Refresh..
The line moves forward…. time is up….
Is your turn and you are facing the cashier,
The cashier is looking at the counter and your cart (by the way you are so focused on getting the application started that you forgot to put the things in the counter ) — ugh — peer pressure… you try to place the phone somewhere safe.. and try to focus on the task at hand … put the groceries on the conveyor belt to purchase them….all the while thinking.. What is the password ?
Time slows down…. while the cashier now, with a frown, is ringing your items.. and you keep looking for the reset link….the password link never shows up…
Must have been the wrong username or email address….but time has run out.
The cashier now with a sarcastic smile, is asking “do you have our application to apply the discounts for this purchase ?”
You look at him — defeated by the security and password gods and with a resignation — you say — “I have the application but can not get into it” … the cashier looks at you with disdain — how is it possible that you do not know your user name and password ?
He seems disappointed in your lack of knowledge and technical capabilities… .how is it possible that you failed such a simple task? …
You feel defeated — unworthy of their premium service — The cashier sights, takes a deep breath and now he is savoring the moment as he prepares to come to your rescue — he asks for the phone number of your mobile device and without any further action — he says ok — “found your account and applied the discounts.. but for accessing your rewards you will have to use the application” ….
You are dumbfounded — holding the phone with the application looking back at you (the application is smirking at you). It is challenging you to enter a username and password again, so it can defeat you again and again….
This non-fictional experience is occurring every day across millions of users and transactions — turning a pleasant experience into a stress inducing nonsense — all because the company decided that it requires to provide a complex password to gain access to their rewards tracking application. Basically so they can protect their consumer rewards programs from nefarious attackers while limiting access to their own consumers…
You put your purchases on the cart and walk out — looking down at your phone — disappointed and defeated — and you walk out, you see the ice cream stand which is the only reason that you have the frikin application… is to gain that reward…. you swear you hear a laugh coming from the application…. and you mutter — “I will be back !!!”
The sadomasochistic approach employed by companies — enforced by their security and application development teams is affecting millions of users across the world — it is time for user to revolt and rise up !! .. kill the password once and for all !!!
What is the solution ..
The solutions are clear — there are plenty of technologies and standards that address this issue, but they are not being implemented fast enough.
Implementations are constrained by a lack of knowledge from security teams and developers on how to implement those standards, the reticence of security professionals to change and the short sightedness of organizations to invest on new technology that will improve the user experience and therefore displaying a lack of empathy towards their consumers…
A good friend once guided our research efforts to ensure that we focused on using standards and interoperability — In my opinion, that is the answer — as new identity and authentication methods and protocols become part of the standards and are integrated into the large technology platforms, developers will start using them. Finally, enhancing the user experience while providing a higher level of security for both consumer and enterprise applications.
There is great work being done by many organizations, including FIDO and the W3C to drive authentication standards that are being adopted by the large technology platforms and developers, but all of that work will be for nothing if, as an industry, we do not adopt and implement such methods.
One thing will remain top of mind for organizations, the cost of change — developers will remain focused on what is easy instead of doing what is right .. and that is where the organizations must step up and understand — the authentication layer is no longer a nice to have but a it provides a competitive experience in the interaction with the customer. Organizations must understand that the authentication event is the first impression that organizations have with their customers. They must make a choice, how much pain or pleasure do you want your customer to experience ?
As I dream of a time when my relationship with the passwords is a thing of the past.. I entertain myself imaging what the possibilities can be, and I follow the great work being done by people in some of this great organizations;
https://fidoalliance.org/
https://diacc.ca/trust-framework/
https://www.w3.org/blog/webauthn/