What brought this home to me was a presentation at this year’s Usenix's Enigma 2018 security conference in California, where Google software engineer Grzegorz Milka revealed (presentation link) that as of today less than 10 per cent of active Google accounts use two-step authentication to lock down their services.
This free, two-step authentication service, was introduced over seven years ago (Sept 2010) initially for Gmail accounts, but its it take-up by Joe Public has been negligible.
Last summer I needed to contact Amazon after some fraudulent activity on my account, their only advice was to change my password (which I had already done – as well is deleting all credit cards from the account) – when I asked about two-factor authentication their support line denied it existed.
However while checking my Amazon account settings in case anything had been changed I stumbled across it – and guess what; it can leverage my already existing Google two-step authentication service. [Your Account › Login & security › Advanced Security Settings if you are interested – it also supports the Microsoft authenticator.]
As we design Identity 3.0; the next generation for digital identity, the challenge has been “how do we make it simple?”
But I think, based on everything I have learnt to date, that we need to go significantly further than this if it’s to be universally adopted, and add to our design criteria;
- How do we make it the simplest, most friction-less, option?
- How do we make security, privacy and primacy near-invisible?
- How do we make it the default?
Because only then will we get the other 90% to adopt a security and privacy enhancing approach and start to beat the bad-guys.
Paul Simmonds, CEO Global Identity Foundation, January 2018