Since the dawn of infosec, the belief that we users are a group of dullard cattle who blindly trade our own security for convenience at every turn has been trumpeted by the stewards of IT and the infosec-arrogant, while bolstered by old research.
Not anymore, says a new in-depth study from IBM on consumers' relationships with biometrics, authentication and the future of identity. If they have a choice, consumers now prefer taking extra security steps over using "123456" as a password.
According to IBM Security's new "Future of Identity Study," users of both mobile and desktop are wide awake to what's happening with each new high profile breach, and it's made them change their priorities. Strong security and privacy are now at the forefront of the average user's concerns, especially when it comes to banking, financial, online marketplaces, and their email accounts.
That's a sharp contrast to research from Gartner in 2008, which also surveyed 4,000 people and found that most consumers didn't want to change the way they did passwords or security, and were highly resistant to using password managers or adopting additional security measures around log-ins.
"Despite widespread security concerns," Gartner concluded ten years ago, "consumers continue to rely on service providers to protect their safety and persist in using unsafe password management practices, preferring to maintain the status quo rather than exploring new security methods."
IBM's 2018 report surveyed nearly 4,000 adults from around the world. Most respondents were in the US. Over half said they would never trade security for convenience. Like, never.
That sentiment increased with age. IBM's findings showed that 53 percent of 18-23 year olds were in the "no trade-offs" camp, whereas this sentiment increased in older people. At the end of the spectrum where the olds were, 84 percent of people 55 and older said that nope, they'd never ever sacrifice security for convenience.
Sadly it was only people who said this, and not corporations, who are sometimes people, but are always sacrificing our security for their convenience.
Additionally, IBM found that 74 percent of consumers said they'd prefer to use extra security like two-factor authentication, extra passwords, or any other additional step for added protection. If they could, they would. Interestingly, the study said that "36 percent of those ages 18 - 20 say they use password managers to keep passwords and avoid having to memorize them, compared to only 26 percent of users in the general population."
It all comes down to trust. Between Yahoo's flaming 3 billion user security disaster, Equifax's negligent ongoing dumpster fire, and Facebook's endless compromises of our personal security, consumers have turned a corner from thinking that large companies have their security acts together.
Perhaps what's surprising is not that people would choose better security over letting some company make their logins "frictionless," but that they're willing to do something about it. That includes rage-quitting whoever screwed up their security. IBM's report found that in the wake of a breach, one in five users will stop using an affected app or service, or move to a competitor's service. The younger the user, the more likely they'll dump whoever got breached and take their trust somewhere else.
I can only imagine the amount of resentment building against companies people can't switch away from, like Equifax, Anthem (BlueCross BlueShield), or government agencies such as the Office of Personnel Management (OPM).
The debate about trade-offs between security and convenience is an old one. But now it looks like the idea that users do whatever is easiest is just as dated. Now people know the risks. And no one trusts companies with their security or privacy anymore.
"For apps related to finances (banking, investing and budgeting)," the study detailed, "people vastly ranked security as top priority (70 percent on average) over privacy or convenience (16 percent and 14 percent respectively) -- yet when it came to social media, convenience took a slight lead (36 percent convenience, 34 percent security, 30 percent privacy)."
One of the extra security steps making its way into mainstream use is biometrics, like fingerprint, face, retina, and palm scanning. Samsung is working on phones that scan your palm; LG wants to use your voice; the Galaxy S8 already uses retinal scans. A Dubai airport plans to replace security counters with facial recognition scans. Mastercard is adding fingerprint scanners to its credit cards. And of course, flagship Androids and iPhones all come with fingerprint and Face ID options.
It's all been met with conflicting reactions of excitement and anxiety from consumers, security professionals, and privacy pundits. Their concerns are all well-founded, and as my colleague Cherlynn Low put it, "After Apple first put Touch ID on the iPhone 5s in 2013, people pointed out that it didn't work very well and that it wasn't secure."
Yet IBM's study shows biometric security to be an inevitability consumers are starting to embrace. Its data showed that 67 percent of respondents are comfortable with using biometrics for security, with a whopping 87 percent willing to consider using different types of biometric authentication in the future.
Even still, everyone's biggest concerns with biometrics are privacy and security. According to IBM, 55 percent of respondents are worried about how their data will be collected and used, with 50 percent saying they're concerned about people using faked biometric credentials to break into their accounts.
So maybe it's time for companies and their infosec advisors to start trusting users with more options for individuating the ways we can lock down our own security on their services. Instead of trying to corral us into whatever must-be-numbers-and-letters half-baked password recipe voodoo they think is best. While their own IT decision makers bump around in the dark prioritizing patches instead of actually applying them. I dunno. It's just a thought.