Still living under the tyranny of the password in 2017

When I lost access to my Google account recently, it left a gaping hole in my digital life and showed me just how tenuous the link to our online world can be. One thing I learned from the story I wrote last week about my experience was that I was far from alone. I got more than a dozen emails and tweets from folks who had been similarly locked out of Google, Facebook or Amazon Prime, and couldn’t figure out how to find their way back.

It raises a valid question about identity itself online, something I’ve been thinking about for some time. How do we prove who we are and how do we avoid my problem (and that of many others, apparently)? How much responsibility lies with the service provider, even when that service is free? How many forms of proof should be enough to prove identity?

At some point it should become an exercise in probability for the vendor. In my case with Google, I provided proof by email, mobile and security questions — and it still wasn’t enough. If you consider I was also using a similar IP address and the same devices I always use, that constitutes even further proof.

When you provide all this data, shouldn’t that be enough proof for any vendor? I found out the hard way that it’s not, and I’m not alone. I also found out the vendor often doesn’t have any means of resolving these issues — and that could be the worst part of this.

Killing the password

Back in September, 2015 I wrote a post on TechCrunch called Kill the password in which I argued it was time to replace the password because it didn’t really work. Hackers stole them, people used ridiculous ones like 1234 and it was simply not a deterrent to accessing our online accounts.

Yet our services and our digital lives require protection. In that same piece, I implored the vendors to find a way to prove who we were without putting the burden on us to remember something. Leaving security to the user is a fool’s errand. Here was partly how I concluded that piece in the context of 2015:

The key is to find a way to secure our personal information without putting undue hardship on the user, while making it difficult — ideally impossible — to steal. That would require automated ever-changing passwords or perhaps something like a fingerprint or eye scan.

The password becomes even more ridiculous in a mobile context where entering a strong password is a burden on a device where typing is not ideal. Certainly biometrics has advanced since then and we are seeing increasing usage of the fingerprint and the beginnings of the Apple face scan on iPhone X. All of this makes the password less and less needed, but it is still the primary means of identification in many instances — and that needs to change.

Perhaps I’ll see you on the blockchain

Like so many things, we make proving identity more complicated because we don’t trust the process, but what if we put identity on the blockchain? Two years after writing that first piece suggesting we kill the password, I wrote another called The promise of managing identity on the blockchain in September this year. If the blockchain is an immutable and irrefutable record then it suggests it would be a good place to manage identity, but there remain a range of opinions. As I wrote:

Like any emerging technology, there are going to be a range of opinions on its viability. Using the blockchain as an identity management system is no different. It will probably begin to take on some role over the next five years because the promise is just so great, but how extensive that will be depends on how the industry solves some of the outstanding issues.

When you put all of this in the context of losing your identity online, it brings us back to where the burden belongs.  It is of course incumbent upon online services (and offline for that matter) to ensure you are a valid user with proper credentials, but surely there must be better ways to do this without forcing us through a password gate.

In a discussion of the getting locked out of Google story on Hacker News, one commenter, WhyNotHugo, suggested emailing log-in links that bypassed the need for a password altogether:

These are precisely the kinds of steps companies should be taking to remove the burden from the end user. Yet we are two years further down the road from when I wrote that first piece about killing the password, and we are still facing the same issues. The vendors need to step up and figure out new ways to prove identity just like those login links and stop putting the burden on us as users.

Service, please

Short of providing password alternatives, services like Google have to offer ways to access a human customer service person, whether that means paying a one-time fee or simply putting an investment in a human contact center to resolve these very kinds of issues Everyone should have equal access to this service and it shouldn’t be limited to people like me who have contacts inside these organizations because of my job.

While Google and Facebook (and other similar essential services) are free, they can hardly hide behind that idea when it comes to helping end users  when they need it. They are multi-billion dollar, highly profitable operations and it’s time they stepped up and provide a level of customer service to help resolve these kinds of issues in a timely fashion.

We are surely getting better at online identity, but as my experience showed, we still have a ways to go. Even Google with all its resources, still struggles with this. I can’t tell you why proving identity remains a challenge as we head into in 2018, but we need to figure this out, and we need to do it soon. Too many people have experienced the pain I did of being locked out and that just shouldn’t be the case anymore.