For many decades now, accessing a private online environment has meant entering a recognised user name, corroborated by a valid password. The combination of these two items of knowledge keeps at least the opportunist snoop or fraudster out of a website or user account. Unfortunately, repeated breaches of this security continue to expose the weakness of the username + password verification method.

Doubly unfortunately, this exposure has come at the expense of the private information of millions of people, whose personal details have been available for the world to see. In one case, the head of a healthcare provider allowed their username and password to be witnessed while logging on to its “secure” system.

Vulnerable environment

Gaining access to online services requires security; this seemingly obvious fact emanates from the nature of remote system use. Basically, any user logging onto an online portal is using a computer they cannot physically see or touch.

In business terms, this is the “customer-not-present” environment; identity validation cannot be carried out by one human being looking at and talking to another. While this is very convenient in many ways (and, indeed, drives the entire web-based universe), in others, not being present is the internet’s biggest weakness.

Hackers of various hat colours use automated methods to generate both usernames and passwords; however, as the healthcare chief’s case shows, this isn’t always necessary. Human mistakes or oversights mean that the tried and trusted combination of username + password is only as secure as the person using it.

Adding layers of verification

Knowledge based access methods (which username/password is) have been gradually losing their importance over recent years. Partly this is because usernames and passwords are hard to remember; people tend to write them down, or use words easily associated with themselves.

Two extra layers of verification have come to enhance / replace this knowledge based approach; devices and personal attributes. Rather than just a keyboard, smartphones, tablets and wearables now have many other ways to interact with their user; this allows them to take selfies, or maybe even scan eyeballs and thumbprints.

In combination with private knowledge (what you know), what you have and what you are can now be used to verify your identity. A combination of all three is certainly much more secure than the username-password method.

Security and seamless user experience

Taking the time to remember and correctly enter usernames and passwords is a clunky, tedious experience for many modern online customers. The rise of technological and biometric layers to remote verification has added advantages for these users; by extracting valuable biometric details, for example, serious security checks can be started as quickly as possible.

For low-risk customers, access can be very quick indeed. However, an advantage of the newest checking methods means that even higher-risk users can be verified without them feeling like they’ve been pulled out of the queue and taken to one side.

This seamless customer experience is as vital as the need for ever-more effective security measures; the demise of username + password may well, then, be a good thing all round.