This short piece looks at password policies through the eyes of the customer – be it an end customer or a distributor. I am personally frustrated at the explosion of complexity in accessing sites so thought it would be worth exploring the issue further.
‘Security inflation’ is endemic
In my experience insurance companies and banks look at password policies and procedures solely through the lens of security. They then seek the advice of their internal IT security specialists who faithfully discharge their job responsibility, and are not to blame, in advising on all of the myriad possible weaknesses that can arise. In the absence of an internal customer experience advocate to provide an alternative view, the business leaders then decide to spend money and effort tightening security. The cycle seems to repeat and we end up with a default “business as usual” state of what I call ‘security inflation’. Somewhere businesses seems to have lost the ability to make considered judgements in this area that balance risk and reward and then make a commercial decision. Instead they seem to believe, despite all evidence to the contrary, that it is possible to reach a zone of “zero risk” in this area.
I think regulators also need to exercise more considered judgement and avoid unnecessarily draconian approaches to password policies.
Let’s think about the users
So this article is going to take a customer centric view and examine actual password policies that exist today. In the process I hope to illustrate that organisations can and do take different approaches to password policies – and at least some have made the necessary trade -offs.
So let’s start by thinking as a customer. The first thing is that I trust my bank or insurance company to make appropriate policies in this area. So in all the examples I give I assume the security approach implemented meets a minimum adequate benchmark (i.e. at the very least one compliance, risk and security expert will have signed off these approaches):
To show how absurd decision making can be I have experienced the “good” from one multinational bank in one country and the “ugly” from the same global bank in another country. And standards do vary within countries i.e regulations are not absolute in these matters and leave room for banks and insurers to make their policies more customer friendly.
The one bank that deserves a positive mention for innovation is Standard Chartered Bank in Singapore. They made their physical second factor their credit card by including a key pad within the credit card itself. They also allow a liberal approach to accessing high level bank data using a simple numeric password. Well done – and it gets my vote for customer convenience.
The non-banks who excel in this area are PayPal, the Apple store and the Amazon store who are able to deliver password protected transaction capability for on-line purchases without the need to re-key credit card data. They all use numeric only password systems.
What is the future?
The password / 2FA is probably a fundamentally flawed approach and one would hope that biometric solutions develop quickly to provide quick and convenient access to personal data and transaction capabilities. There are some reports that Apple is investigating finger print biometrics for the next version of the iPhone – this will be an interesting test on how “battle ready” the technology actually is.
What is your experience?
I would be interested to hear from others on their views and experiences in this area. What frustrations have you experienced and what is the most customer friendly approach you have seen?