Gartner's survey of 4000 U.S. adults in September 2008, once again demonstrated people's tendencies to opt for convenience over security. It's a trend that has stayed fairly consistent over the years despite the fact that an increasing amount of activity occurs online these days thanks to the growth of cloud computing.

According to Gregg Kreizman, research director at Gartner, "most consumers want to continue managing their passwords the way they do now." But the way they do now is nothing to brag about. It generally consists of one or two passwords which the consumer uses on every website they encounter.

What should be done about this? According to Kreizman, online product and service vendors should redouble their marketing efforts to illustrate the advantages and practicality of routine and stronger authentication for consumers. Another analyst, Avivah Litan, also notes that "enterprises with consumer-facing websites that require stronger controls than weak password authentication alone should continue to augment passwords with complementary mechanisms, such as device identification, geolocation and transaction verification."

Elephant in the Room: Facebook Connect

While these findings are relatively unsurprising, the study highlights one of the top issues when it comes to security: the human factor. For most people, convenience is key, even if it means putting their security at risk. Consumers would rather rely on service providers to protect their safety than change their own age-old habits.

Yet the one thing the study didn't address is what impact Facebook Connect will have on the user authentication ecosystem. Unlike OpenID (new sign-in boxes notwithstanding), Facebook Connect makes sense to the user. People immediately understand what it means to sign in using their Facebook account. What's more, the process is easier and faster than creating a new username/password combination for the website in question. That should prove well for its adoption and acceptance among consumers.

In addition, Facebook Connect solves problems that go beyond the security issue alone. Sites implementing the technology can gain access to your friend lists, too - a boon for social networking-type sites and those wishing to become more social. There's also the great, untapped potential of how Facebook Connect could make the Internet a kinder, more transparent place. When people have to be identified - and are not anonymous - the chance they'll engage in "troll-like" behavior (leaving rude, disruptive comments) is reduced. It could also impact sites that rely heavily on user reviews. No longer could marketers, business owners, and content producers game the system by leaving glowing - yet fake - reviews which are then hoisted upon unsuspecting visitors.

For those reasons and more, Facebook Connect could very well become the next big authentication methodology on the web. Personal opinion aside, it's hard to ignore the potential of this social networking giant.

But while Facebook Connect may eventually solve the security issue of a commonly used username and password among consumers, it's important to realize that it will introduce security concerns of its own. If this technology becomes ubiquitous, we'll have to face the consequences of putting all the power of authentication into the hands of one private company, which many fear do not have our best interests at heart - especially when it comes to privacy.

And that makes us think that perhaps a common, often-repeated password may not be such a bad thing after all. 

About UsableLogin

UsableLogin is a new application from Usable Security Systems which allows you to choose one simple code word and use it to log into any web site. That codeword can be as simple as your dog's name ("fido") or your favorite color ("pink"). Why is this possible? Because the code word is just one layer of security - behind the scenes, the software creates another password for you for the actual web site. The password it creates is strong, complex, and highly secure, just as we know passwords should be.

How It Works

To use UsableLogin, you simply download the browser plugin. After you pick a background image and your easy-to-recall pass code, the login box will appear consistently across every web site you access, whether that's Facebook or your bank.

Web sites can also choose to support UsableLogin by putting a small bit of JavaScript code on their site.

Here's what UsableLogin sign-in boxes look like:

When you log in to a web site, UsableLogin cryptographically combines your simple code word with secret data pulled from separate sources: your computer and Usable Security's servers. This data is combined to create a secure verifier which is used as your complex password. Your code word is never stored and web sites never see it.

UsableLogin can be used on any web site that accepts passwords. It will also work on any operating system and browser.

UsableLogin on Gmail

The Usable Login Dashboard

From the UsableLogin homepage, you can manage all your accounts and view your history - when you last logged on and from which computer. You can also authorize and deauthorize computers from this dashboard, so for example, if your laptop was lost or stolen, you could make sure that no one who got a hold of it could log in to your accounts.

Security Made Easy

Ask any I.T. professional about "multi-factor authentication" and they'll tell you how much more secure it is against attacks. Think of it this way: on your front door you have a doorknob with a lock - that's the extent of protection you have today. Add a deadbolt to the mix, and even though your door's lock is so much easier to pick, the extra lock (the deadbolt) makes it much harder to get into your house. That's multi-factor authentication. (OK, it's actually much more complicated than that, but that's the easiest way I could think to explain it.)

If you want to learn more about UsableLogin, you can watch their entire presentation from DEMO08 here:

UsableLogin will become available in early 2009. You can sign up on their homepage to be notified when it's released.