While the short-term solution for many users is better password hygiene, that approach doesn't work for everyone. According to a recent study from IBM, millennials put less effort into traditional password hygiene than older generations.
The study found millennials are less likely to create complex passwords (42 percent) and more likely to reuse passwords (41 percent). The average millennial uses just eight passwords across all their accounts, versus internet users age 55 and over who use 12 different passwords.
These lax password habits could be tied to a generational preference for convenience. While overall, users ranked security as their top priority when signing into the majority of applications, younger users were significantly more likely to say they would trade security for convenience if it would save them one to 10 seconds.
Combined, these trends are driving millennials to adopt alternate methods of authentication to secure their accounts. The study found 75 percent of millennials are comfortable using biometrics today compared to 58 percent of those over age 55. Millennials were also more likely to enable two-factor authentication in the wake of a breach (32 percent), and move their accounts elsewhere once a provider has lost their data.
How will millennial's authentication habits impact access?
With millennials quickly becoming the largest generation in today's workforce, their online authentication habits impact the way employers and technology companies provide access to devices and applications.
Considering millennials' blasé attitude toward passwords, and their comfort and propensity for biometrics, such as fingerprint scanning, the time is ripe to replace passwords as the primary form of authentication. An approach that prioritises multiple factors and is adaptable based on risk, user preference, and security, will best serve organisations and end users in the evolution toward better security for identity authentication.
To enhance security with existing controls, organisations can consider the following tips:
- Employ multiple layers of authentication with at least two factors, including “what you know” (passwords, personal info), “what you have” (hardware token code, code received on a different device), and “what you are” (personal attributes like a fingerprint or facial recognition scan) to fully protect all parties from fraud and identity theft.
- Leverage a combination of risk-based authentication methods that factor in contextual information, such as location or timing of login to trigger additional authentication checkpoints in certain scenarios, such as when behavioural cues or connection attributions (device, location, IP address) signal abnormal activity.
- Take advantage of identity platforms that provide users with choices between multiple authentication options such as a one-time use password or fingerprint reader on devices.
- Adapt to younger generations' proclivity for new technology by allowing for increased use of mobile devices as the primary authentication factor and integrating approaches that substitute passwords with biometric methods or tokens.
- Regardless of the combination of authentication factors used, it's critical that identity access and management should be simple for both the organisation and the end user to ensure adoption.
The future of identity rests on millennial's fingertips
While passwords as a stand-alone way to authenticate aren't enough, they remain an important part of the equation. However, organisations and developers must prepare for a future in which biometrics take on a larger role in establishing identity. While passwords aren't going away just yet, there is an appetite for emerging authentication methods such as fingerprint identification and voice recognition, and it may just be the millennial generation that propels those methods to the forefront and changes the authentication paradigm for the future.
Contributed by Limor Kessem, executive security advisor, IBM Security.
*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media UK or Haymarket Media.