The Duke’s signet ring.
At some point in Frank Herbert’s Dune, the doomed Duke Leto gives his signet ring to a trusted messenger
as a way for the recipient to know for sure that the message comes from the Duke.
In less desperate cases the Duke sealed a letter by pressing a ring into hot wax on the envelope, the characteristic engravings on the surface of the ring would leave an imprint which the recipient would be able to recognise and also be able to tell if the seal had been broken and the letter read in transit.
In order to communicate with my bank I need to remember the following things:
1) my PIN
2) my username
3) my internet banking password
4) my secure key pass phrase
5) my telephone banking password
6) my postcode
I also have a business account with the same bank, but unaccountably, they use a similar but subtly different system, requiring an equal number of similar but different tokens.
That’s 12 ‘secrets’ shared between me and an institution.
If I forget any of these, which often happens, since the bank changes the interface at increasingly frequent intervals and each ‘improvement’ adds more or different things to remember.
I then need to recall the answers to some fatuous questions:
1) what is my favourite band?
2) what is my favourite airline ?
3) what is your favourite restaurant?
4) name your first grade teacher.
A problem with these password recovery questions is that they are subjective.
What happens if I have a terrible flight with KLM and my new faves are Air France? I need to recall when I set the questions, what mood I was in and therefore what answer I gave back then.
When I opened these accounts, all I needed was a signature and a gas bill.
What’s worse, every app on my phone, or website I log into has the same appalling design pattern, along with a random set of password rules and recovery options.
As the internet using population ages and the number of apps multiply this issue is going to spiral out of control. There are already sites where I routinely use password recovery (to my email) because it is easier than remembering yet another token for a site I don’t care about or visit so rarely that I don’t stand a chance of remembering the password.
You may feel that we have reached the peak of sites and apps, so the problem may be manageable. If you look at the wave of internet connected fridges, solar panels, heating systems, pet feeders, doorbells, clothes etc. that is about to crash on onto the market in the next 2 years, I think you’ll agree that the password count is about to explode.
This isn’t tenable. We need better, more sensible authentication and security, I’m not sure how it will work, but my bet would be on a wearable (like the ducal signet ring of old) or some form of non invasive biometrics. Or more likely a re-think of the security model. Are passwords and permissions the way we want to relate to our devices.
For now I’m resorting to telephone banking, since it poses the lowest cognitive demand on me and the highest costs on my bank (short of me paying my ‘branch’ a visit).
With any luck the increased costs of calls will persuade my bright friends in FinTech to improve the situation. Meanwhile I’m working on a solution for the rest of us.