Passwords: The Love-Hate Relationship Payments Wants To Break Up

Passwords — they’re a love-hate relationship. Love the (supposed) security, but hate the nuance of remembering what favorite dog or past college crush the password was framed around. It’s a peculiar paradox, that the payments industry is working to transition away from traditional passwords.

Yet, among the gripes of having to remember what a consumer’s favorite model of car is, there’s an interesting psychology behind how and why people pick specific passwords, which suggests consumers may not be as resistant to them as much as the industry may think. Maybe even consumers are a little self-detrimental when it comes to passwords. A recent New York Times article by Ian Urbina examined “The Secret Life of Passwords,” and analyzed why consumers add such intimate personal touches to password practices they claim to hate. From a payments perspective, however, practices are changing.

Visa and MasterCard, for example, have already begun the process to simplify verification systems. Safe and simple is key to banking, just as much as that concept applies to user password practices. Nixing the need for extra passwords seems to be that next step for payment providers. Requiring extra passwords was designed to create and extra layer of security, but the series of cyber attacks has proven fraudulent activity finds its ways through the supposedly secure systems.

“All of us want a payment experience that is safe as well as simple, not one or the other,” Ajay Bhalla, president of enterprise security solutions at MasterCard, told The Guardian. “We want to identify people for who they are, not what they remember. We have too many passwords to remember and this creates extra problems for consumers and businesses.”

Technology advancements may have a lot to do with the transition. This includes features like paying with a fingerprint touch through Apple Pay, or the growing trend of wearables, and even concepts like a wristband that uses a person’s unique cardiac rhythm to authenticate a cardholder’s identity are the wave of today and the future, the Guardian article said, which concluded “such measurers will do away with the need to remember another password, to the great relief of many.”

Still, as the Times piece showed, people are still investing time and energy into personalizing those passwords to reflect a piece of their lives in seven to ten characters. Changing trends may squash that opportunity though. The article referenced what Bill Gates said 10 years ago at a tech-security conference: “There is no doubt that over time, people are going to rely less and less on passwords. People use the same password on different systems, they write them down and they just don’t meet the challenge for anything you really want to secure.”

Yet, ten years later, passwords are still the way that consumers access just about everything, including those things that relate to financial services and banking.

But as history shows, the technology industry has always been faced with the challenge of having an influx of products introduced quicker than developers can create the necessary layers of security measures. The concepts of online passwords may be an interesting segment of for historians and psychologists to one day analyze. The Internet alone is a perfectly-complicated study of how consumers use passwords.

“The Internet is a confessional place. With so little privacy, passwords may soon be tomorrow’s eight-track player, quaintly described to our grandchildren,” Urbina writes. The seemingly antiquated industry standard of passwords is slowly being replaced by newer technologies,  but like most industries, isn’t changing pace as quickly as it could to meet consumer demand. But companies are trying.

“In recent years, there has been a push for machines to identify us not by passwords but by things we possess, like tokens and key cards, or by scanning our eyes, voices or fingerprints,”Urbina writes. “This year, for example, Google purchased SlickLogin, a start-up that verifies IDs using sound waves. iPhones have come equipped with fingerprint scanners for more than a year now. And yet passwords continue to proliferate, to metastasize. Every day more objects — thermostats, car consoles, home alarm systems — are designed to be wired into the Internet and thus password protected.”

And the conflict grows. More passwords, more layers of security to protect. More consumer frustration.

Five years ago, people had around 21 passwords, the article said. That’s hit an average of 81 per person, according to data from password-storage company LastPass. As the industry strives for stronger online security, battling off a new dose of cyber threats at a somewhat regular rate, the pushback against passwords hasn’t been enough to make an entire industry shift. The consumer demand is there, and companies say they want to create change. Changing security protocols is still lagging as the battle to develop the newest device takes precedence.

“Partly this push is being fueled by a growing and shared hatred of passwords. The digital era is nothing if not overwhelming. The unrelenting flood of information. The constant troubleshooting. We only just master one new device before it becomes outmoded. These frustrations are channeled into tantrums over forgotten passwords,” Urbina wrote. “There is scarcely a more modern sense of anomie than that of being caught in the purgatory where, having forgotten a password, we’re asked personal trivia questions about ourselves that we can’t seem to answer correctly. The almost-weekly stream of news stories about major security breaches makes it tough not to feel as if privacy on the Internet is unattainable.”

Are consumers giving up on the notion of online security? A portion, for sure. They’re called the “digital nudists,” who remain so frustrated about having to keep up with changing passwords and remembering identifications that they’ve made themselves open to cyberattacks with easily hackable passwords. They’re the ones using “password” for their passwords. Companies have failed to create systems that protect their customers, but the Times analysis also shows consumers may be the problem.

“Humans really are the weak link when it comes to data security,” computer scientist Joseph Bonneau told Urbina. But as he explained, it’s the psychology of humanizing our security traits that makes password problems most interesting to study. “People take a nonnatural requirement imposed on them, like memorizing a password and make it a meaningful human experience.”

So do people hate passwords as much as the industry thinks they do? Probably. But consumers are certainly embracing a security measure they despise with their own intimate touch. It’s clear consumers like personalization, but without the work. There’s the next challenge for payments: providing simplified, personalized security measures — but without passwords.