Credit: Gil C/Shutterstock.com
Quick question: How many online accounts do you have? Add up work apps, shopping sites, social media sites or anything else that requires a username and password. If your number is greater than eight you may want to consider a good password manager.
Besides work accounts, many users have accounts for Facebook, Amazon, Microsoft, eBay, Yahoo, Apple, Google, Twitter, Instagram, LinkedIn, Pinterest, ESPN.com (for leaving comments), local newspapers, cable companies, banks and a growing number of newer social media companies. And the growth in new social networking users and new services continues to accelerate.
But how many online accounts is too many? The average American who regularly uses the Internet is now experiencing password overload. You may be wondering: What ever happened to the idea of a single username and password for the Internet?
Sadly, this application authentication problem seems to be getting worse, not better. Here are some recent statistics:
• Nearly 3 in 5 (58%) of adults have 5 or more unique online passwords
• 30% have 10 or more passwords
• Almost one in 10 people (8%) has a whopping 21 or more individual passwords
• Older people are likely to have more unique passwords than their younger counterparts; people age 55 or older on average have 8.2 passwords whereas millennials (18-34 year olds) only average 6.7
• Adults age 35-44 average 8.7 unique passwords and those 45-54 have 8.4 on average
• Men age 45-54 have the highest average number of unique passwords at 9.8
You can see more social login data trends at Janrain.com.
The Enterprise Access Solution
Meanwhile, back at the office, the number one complaint from most government and private sector end users is still – you guessed it – too many passwords. This complexity weakens security with a multitude of associated account logins with associated personal profile information.
To solve this username/password problem, public and private sector organizations have championed identity access management solutions to reduce complexity. The National Strategy for Trusted Identities in Cyberspace was also created to federate identities in order to share access credentials across multiple government and corporate systems and jurisdictions.
As Government Computer News (GCN) recently described in this article about reducing data leaks:
"Having a single credential that can be authenticated by a trusted authority and accepted by multiple users can reduce the attack surface by maintaining PII at a single point. It also helps relieve the burden of managing credentials and identities.
This idea of federated identity is not new. Banks, merchants and credit card companies have been using a form of it for years…."
Most federal, state and local governments have attempted to deal with this identity management problem for more than a decade – looking for the “holy grail” of single sign-on for all applications. In fact, many enterprises have multiple portals for employees or customers. This works great for identifying fraud and simplifying the process for new and departing employees.
ID Challenges Abound
Nevertheless, while enterprises are encouraging federated identity management, trusted identity sharing and the need for fewer passwords and mores secure credentials using two-factor authentication, the Internet’s thirst for more access credentials seems to keep growing.
Why? Because the major technology and social media companies don’t want to give up what they know about you and your habits. They want to sell targeted advertising for the accelerating surge of mobile applications, and they need to get to know you better to make that happen.
Put another way, do you actually believe that Facebook will let you use a Microsoft (or Google or Apple or Amazon) profile to sign-in to their services? I don’t think so.
The main reason is that these companies want to get to know you better - your actions, friends, habits, likes and buying patterns. They will never "outsource" this core function. The last thing they want to do is let a rival control your profile.
For example, think about how Amazon uses what they know about your book-buying habits to recommend other books or related items. Their profiles on us go much deeper and farther today than five or ten years ago. And the data they have on each of us continues to grow as they add products and services we use.
Even local supermarkets, gas stations and retail stores want us to have mobile apps with accounts to send e-coupons while we’re shopping or filling-up the tank. Banks are talking about e-payment apps on your smartphone, and the doctor’s office is even adding apps. Just add another password or two, but don’t forget that security pros tell users not reuse passwords.
Perhaps you are thinking – I often use LinkedIn or Facebook to access other online applications. Isn’t that a single login?
My answer is both yes and no. Yes - the major tech players are attempting to make their profile accounts with us more powerful, influential and shareable. These services do offer a reusable profile.
Google, for example, allows one login across all of their services from Gmail to YouTube. Microsoft has tried for years to get customers to use their passport system across multi-vendor Internet services with some minor success.
But no - we are very far from one “single sign-on” in cyberspace. Some even joke that their company likes “single sign-on” options so much that they have five or ten of them.
Also, while many new social media sites allow us to use Facebook or LinkedIn to login for the first time, you need to agree to give up personal information such as your contacts, preferences and other private items from Facebook to the new company in the process. Many stop and wonder: How will all my data be used by this app?
Instead of clicking to proceed, many users decide to open a new account with a new username, another password and a new profile to access that hot new social media app.
Enter New “Anonymous" Solutions
Which brings us to some major new announcements this week that points to where this trend is likely heading. I highly recommend reading this Computerworld article which describes Facebook’s new service to allow “anonymous login.”
Here’s an excerpt:
"…If you provide your personal data to Facebook, you can then install and use apps that support Anonymous Login without giving your personal data to the app maker, at least initially.
In other words, a mobile app that supports Facebook Anonymous Login would allow logged-in Facebook users to interact with the app as if they had supplied their personal information, even if they hadn't actually done so.
Facebook says the feature provides "anonymity." But that's not accurate, because you do have to tell Facebook who you are. And it's not "pseudonymity," either, because you're not using a surrogate identity.
Facebook is walking a very fine line between the need to attract users (with a promise that they won't have to share their data) and the need to attract app developers (with promises of a greater number of users who will hand over some personal data eventually)…."
At the same time, we are seeing more new mobile apps that are less complex and do just one or two things very well. This trend has some saying that social networks are “falling apart.”
For mobile app developers, this is a very exciting period with new helpful apps launching almost daily. Still, I think we are nearing an identity crisis with too many social network logins, because our "new app every day" trend isn't slowing down.
The Future: A trusted Data Bank
So where is identity management heading? I do think that we will eventually get to fewer profiles – meaning fewer associated logins and passwords or other credentials will be needed. However, I suspect that things will continue to get worse before getting better.
The wider question is: Who will consumers ultimately trust with their personal information? Remember that much of this information is learned (and not specifically given) about users by building a database of individual actions.
Facebook is attempting to become the trusted broker of your data in cyberspace. No doubt, Google, LinkedIn, Microsoft and others are trying to become the same thing. And everyone constantly adjusts their privacy policies on sharing your data.
These companies have recognized that users still have too many passwords and customers don’t want to share their data with hundreds of apps and more companies - unless they see good value. At the same time, the tech giants want you to login through them – securely.
So the future for top social media and technology companies is evolving into becoming your trusted “bank” that doesn’t deposit money, but your data.
First, they want to know who you are. Second, learn what you like. Third, determine your habits. Fourth, figure out your personal values – and what makes you tick. All of this will drive online marketing revenue and allow better targeted ads. All of this requires them to collect even more data.
I do believe the long-term fog is finally clearing regarding identity management. While I don't expect to ever arrive at one single way to authenticate, we can surely achieve a reduced number of usernames and passwords.
In the meantime, there are many great tips on how to protect yourself while using social media apps.
Also, consider using one of several password managers that are available to help store your growing list of username/password pairs securely.
Daniel J. Lohrmann is an internationally recognized cybersecurity leader, technologist, keynote speaker and author.
During his distinguished career, he has served global organizations in the public and private sectors in a variety of executive leadership capacities, receiving numerous national awards including: CSO of the Year, Public Official of the Year and Computerworld Premier 100 IT Leader.
Lohrmann led Michigan government’s cybersecurity and technology infrastructure teams from May 2002 to August 2014, including enterprisewide Chief Security Officer (CSO), Chief Technology Officer (CTO) and Chief Information Security Officer (CISO) roles in Michigan.
He currently serves as the Chief Security Officer (CSO) and Chief Strategist for Security Mentor Inc. He is leading the development and implementation of Security Mentor’s industry-leading cyber training, consulting and workshops for end users, managers and executives in the public and private sectors. He has advised senior leaders at the White House, National Governors Association (NGA), National Association of State CIOs (NASCIO), U.S. Department of Homeland Security (DHS), federal, state and local government agencies, Fortune 500 companies, small businesses and nonprofit institutions.
He has more than 30 years of experience in the computer industry, beginning his career with the National Security Agency. He worked for three years in England as a senior network engineer for Lockheed Martin (formerly Loral Aerospace) and for four years as a technical director for ManTech International in a US/UK military facility.
Lohrmann is the author of two books: Virtual Integrity: Faithfully Navigating the Brave New Web and BYOD for You: The Guide to Bring Your Own Device to Work. He has been a keynote speaker at global security and technology conferences from South Africa to Dubai and from Washington, D.C., to Moscow.
He holds a master's degree in computer science (CS) from Johns Hopkins University in Baltimore, and a bachelor's degree in CS from Valparaiso University in Indiana.
Follow Lohrmann on Twitter at: @govcso
Building effective virtual government requires new ideas, innovative thinking and hard work. From cybersecurity to cloud computing to mobile devices, Dan discusses what’s hot and what works in the world of gov tech.