For paperless people
As a parent, placing lunch orders are a common exercise. My daughter this morning insisted I take a break from making her lunch and enjoy the ease of ordering for her online – made even ‘simpler’ that my internet browser remembers my login details. In the rush of helping her get ready for school and myself for work, I realised only when we got in the car that I hadn’t placed her lunch order.
As I reached for my laptop, my daughter said "it's okay mum, I did it myself".
She elaborated on her handiwork "I just used my thumbprint on my iPad, went in to the saved passwords and then I logged into your account to make an order.”
“I just used my thumbprint on my iPad, went in to the saved passwords and then I logged into your account to make an order.”
What??? Your thumbprint gives you access to my stored passwords?? What’s more, access to a Lunch Order account that has auto-top up. Access to spend whatever you like.
Alarm bells!! I did a little delving into the history of the Lunch Orders account, and notice that this wasn’t the first time. Looking back, self-service access by my savvy daughter has been initiated in the past. Of note, a lunch purchase totaling $25.00…what could that have been? Did it come with a glass of wine on the side?
Now, I understand that the likes of Google, Apple and Microsoft are just trying to make things simpler for us, but this makes it simpler for everyone to access digital credentials – it’s like leaving a key under the doormat. Yes I’m happy to share music and photos with my kids, but certainly not my passwords!
On reflection, I am thankful for this event this morning. It just reinforced my belief that password access to applications is flawed. It’s too easy for my digital identity and credentials to be accessed and transferred to someone else. My login details are the keys to my digital world, but the default method of using a password is outdated and leaves me vulnerable to being hacked… even by a child. I can see that the big three are trying to make passwords easier for the user using storage in the browser. While that may fix the issue of forgotten passwords, it creates a much bigger security problem.
Ultimately, it is time to do away with passwords, rather than make it easier to store, remember and share passwords, making the whole process self-defeating. My personal information is no longer safe.
As founder and CEO of Signmee (a digital forms and eSign cloud service), I have known for a long time that the greatest vulnerability to our software is the front door. Whenever you rely on passwords, you are leaving the product open to misuse, and easy access. That is why I have explored a number of passwordless cyber security options. Fortunately, the focus on cyber security is hot at the moment, and many new options are beginning to surface to solve the authentication and access problems we have today. For me, the best of breed at the moment would have to be Cipherise.
The Cipherise software, developed by Australian cyber security company Forticode, makes usernames and passwords obsolete by using powerful but simple multifactor authentication including biometrics, QR codes and the game changing OneTICK from the convenience of a user’s mobile phone. If the lunch order website integrated Cipherise I would be the only one who could complete the transaction, even if it was started by my daughter, by validating and confirming the transaction using my smartphone.
It is time we start to demand more from service providers who simply offer username and password security. We should be demanding that our identity, credentials and money are secured carefully now that browsers are making it so easy to store and remember username and password combinations. Online services have a duty of care to protect us.