Password fatigue

Last updated

Password fatigue is the feeling experienced by many people who are required to remember an excessive number of passwords as part of their daily routine, such as to log in to a computer at work, undo a bicycle lock or conduct banking from an automated teller machine. The concept is also known as password chaos, or more broadly as identity chaos. [1]

Contents

Causes

The increasing prominence of information technology and the Internet in employment, finance, recreation and other aspects of people's lives, and the ensuing introduction of secure transaction technology, has led to people accumulating a proliferation of accounts and passwords.

According to a survey conducted in February 2020 by password manager Nordpass, a typical user has 100 passwords. [2]

Some factors causing password fatigue are:

Responses

Some companies are well organized in this respect and have implemented alternative authentication methods, [3] or have adopted technologies so that a user's credentials are entered automatically. However, others may not focus on ease of use, or even worsen the situation, by constantly implementing new applications with their own authentication system.

Innovative approaches

As password fatigue continues to challenge users, notable advances in password management techniques have emerged to alleviate this burden. These innovative approaches provide alternatives to traditional password-based authentication systems. Here are some notable strategies:

Biometric Authentication

Biometric authentication methods offer a seamless and secure alternative to traditional passwords, including fingerprint recognition, facial recognition, and iris scanning. Users can authenticate their identities without remembering complex passwords by leveraging unique biological characteristics. Companies like Okta and Transmit Security have developed robust biometric authentication solutions, reducing reliance on traditional passwords. [6]

Security Tokens

Security tokens, also referred to as hardware tokens or authentication tokens, add an extra layer of security beyond passwords. These physical devices generate a one-time passcode or cryptographic key that users input alongside their passwords for authentication. This two-factor authentication (2FA) method enhances security while reducing the cognitive load of managing multiple passwords. Secret Double Octopus is a notable provider of security token solutions. [6]

Passwordless Authentication

Passwordless authentication services represent a significant shift in authentication methods by eliminating the need for passwords. Instead, these services utilize alternative verification methods, such as biometric authentication, security keys, or magic email links. By removing passwords from the equation, passwordless authentication significantly simplifies the user experience and reduces the risk of password-related security breaches. Okta, Transmit Security, and Secret Double Octopus are pioneering providers of passwordless authentication solutions. [6]

Behavioral Biometrics

Emerging technologies in behavioral biometrics analyze unique behavioral patterns, such as typing speed, mouse movements, and touchscreen interactions, for user authentication. By continuously monitoring these behavioral signals, the system can accurately verify a user's identity without requiring an explicit authentication action. Behavioral biometrics provide a seamless authentication experience while minimizing the cognitive load associated with traditional password-based systems. [6]

These innovative approaches offer promising alternatives to traditional password management techniques, delivering enhancements in security, usability, and user convenience. As technology advances, further progress in authentication methods will effectively address the ongoing challenge of password fatigue. [6]

See also

Notes

  1. "Password chaos" at TheFreeDictionary
  2. Williams, Shannon. "Average person has 100 passwords - study". securitybrief.co.nz. Retrieved 2021-04-26.
  3. Such as digital certificates, OTP tokens, fingerprint authentication or password hints.
  4. Murphy, Hannah (3 September 2021). "The start-ups trying to kill the password". Financial Times. Retrieved 2 November 2021.
  5. "What is Password Fatigue and How You Can Overcome It". Transmit Security. 13 October 2021. Retrieved 4 November 2021.
  6. 1 2 3 4 5 Al-Slais, Yaqoob; El-Medany, Wael (January 1, 2022). "User-Centric Adaptive Password Policies to Combat Password Fatigue". The International Arab Journal of Information Technology.

Related Research Articles

<span class="mw-page-title-main">Password</span> Text used for user authentication to prove identity

A password, sometimes called a passcode, is secret data, typically a string of characters, usually used to confirm a user's identity. Traditionally, passwords were expected to be memorized, but the large number of password-protected services that a typical individual accesses can make memorization of unique passwords for each service impractical. Using the terminology of the NIST Digital Identity Guidelines, the secret is held by a party called the claimant while the party verifying the identity of the claimant is called the verifier. When the claimant successfully demonstrates knowledge of the password to the verifier through an established authentication protocol, the verifier is able to infer the claimant's identity.

<span class="mw-page-title-main">Access control</span> Selective restriction of access to a place or other resource, allowing only authorized users

In physical security and information security, access control (AC) is the selective restriction of access to a place or other resource, while access management describes the process. The act of accessing may mean consuming, entering, or using. Permission to access a resource is called authorization.

An authenticator is a means used to confirm a user's identity, that is, to perform digital authentication. A person authenticates to a computer system or application by demonstrating that he or she has possession and control of an authenticator. In the simplest case, the authenticator is a common password.

<span class="mw-page-title-main">Authentication</span> Act of proving an assertion

Authentication is the act of proving an assertion, such as the identity of a computer system user. In contrast with identification, the act of indicating a person or thing's identity, authentication is the process of verifying that identity. It might involve validating personal identity documents, verifying the authenticity of a website with a digital certificate, determining the age of an artifact by carbon dating, or ensuring that a product or document is not counterfeit.

Single sign-on (SSO) is an authentication scheme that allows a user to log in with a single ID to any of several related, yet independent, software systems.

Identity management (IdM), also known as identity and access management, is a framework of policies and technologies to ensure that the right users have the appropriate access to technology resources. IdM systems fall under the overarching umbrellas of IT security and data management. Identity and access management systems not only identify, authenticate, and control access for individuals who will be utilizing IT resources but also the hardware and applications employees need to access.

<span class="mw-page-title-main">Security token</span> Device used to access electronically restricted resource

A security token is a peripheral device used to gain access to an electronically restricted resource. The token is used in addition to, or in place of, a password. Examples of security tokens include wireless key cards used to open locked doors, a banking token used as a digital authenticator for signing in to online banking, or signing transactions such as wire transfers.

Logical security consists of software safeguards for an organization's systems, including user identification and password access, authenticating, access rights and authority levels. These measures are to ensure that only authorized users are able to perform actions or access information in a network or a workstation. It is a subset of computer security.

Self-service password reset (SSPR) is defined as any process or technology that allows users who have either forgotten their password or triggered an intruder lockout to authenticate with an alternate factor, and repair their own problem, without calling the help desk. It is a common feature in identity management software and often bundled in the same software package as a password synchronization capability.

Living in the intersection of cryptography and psychology, password psychology is the study of what makes passwords or cryptographic keys easy to remember or guess.

Electronic authentication is the process of establishing confidence in user identities electronically presented to an information system. Digital authentication, or e-authentication, may be used synonymously when referring to the authentication process that confirms or certifies a person's identity and works. When used in conjunction with an electronic signature, it can provide evidence of whether data received has been tampered with after being signed by its original sender. Electronic authentication can reduce the risk of fraud and identity theft by verifying that a person is who they say they are when performing transactions online.

<span class="mw-page-title-main">Multi-factor authentication</span> Method of computer access control

Multi-factor authentication is an electronic authentication method in which a user is granted access to a website or application only after successfully presenting two or more pieces of evidence to an authentication mechanism. MFA protects personal data—which may include personal identification or financial assets—from being accessed by an unauthorized third party that may have been able to discover, for example, a single password.

SAP Logon Tickets represent user credentials in SAP systems. When enabled, users can access multiple SAP applications and services through SAP GUI and web browsers without further username and password inputs from the user. SAP Logon Tickets can also be a vehicle for enabling single sign-on across SAP boundaries; in some cases, logon tickets can be used to authenticate into 3rd party applications such as Microsoft-based web applications.

<span class="mw-page-title-main">FIDO Alliance</span> Industry consortium working on authentication mechanisms

The FIDOAlliance is an open industry association launched in February 2013 whose stated mission is to develop and promote authentication standards that "help reduce the world’s over-reliance on passwords". FIDO addresses the lack of interoperability among devices that use strong authentication and reduces the problems users face creating and remembering multiple usernames and passwords.

Universal 2nd Factor (U2F) is an open standard that strengthens and simplifies two-factor authentication (2FA) using specialized Universal Serial Bus (USB) or near-field communication (NFC) devices based on similar security technology found in smart cards. It is succeeded by the FIDO2 Project, which includes the W3C Web Authentication (WebAuthn) standard and the FIDO Alliance's Client to Authenticator Protocol 2 (CTAP2).

Biometric tokenization is the process of substituting a stored biometric template with a non-sensitive equivalent, called a token, that lacks extrinsic or exploitable meaning or value. The process combines the biometrics with public-key cryptography to enable the use of a stored biometric template for secure or strong authentication to applications or other systems without presenting the template in its original, replicable form.

Customeridentity and access management (CIAM) is a subset of the larger concept of identity access management (IAM) that focuses on managing and controlling external parties' access to a business' applications, web portals and digital services.

<span class="mw-page-title-main">Bitwarden</span> Open-source password manager


Bitwarden is a freemium open-source password management service that is used to store sensitive information, such as website credentials, in an encrypted vault. The platform hosts multiple client applications, including a web interface, desktop applications, browser extensions, mobile apps, and a command-line interface. The platform offers a free US or European cloud-hosted service as well as the ability to self-host.

Passwordless authentication is an authentication method in which a user can log in to a computer system without the entering a password or any other knowledge-based secret. In most common implementations users are asked to enter their public identifier and then complete the authentication process by providing a secure proof of identity through a registered device or token.

<span class="mw-page-title-main">Secret Double Octopus</span> Israeli software company

Secret Double Octopus (SDO) is a cybersecurity software company specializing in passwordless authentication for enterprise environments.