Since the earliest days of the computer, user authentication has been an ongoing challenge for designers. How does a system ensure that the person sitting behind the device really is who they say they are?
Passwords have long been the standard method of user authentication. But today, biometric techniques such as fingerprints, voice scanning, facial recognition, and eye scans are becoming more common as the technology that powers them becomes more advanced. The rapidly growing technology trends of biometric authentication have even prompted the Canadian government to create the Office of Biometrics and Identity Management.
To learn more about user authentication in Canada, we surveyed more than 1,000 residents. In part one of this two-part series, we focused on biometric authentication. Here, we examine how Canadians feel about facial recognition and look at the role that passwords still have to play. You will find a full methodology at the bottom of this article.
Consumers favour “official” use cases for facial recognition
Facial recognition involves a digital system analysing an image of a person’s face and comparing it against a stored database of faces to determine the person’s identity. Respondents to the survey had mixed attitudes towards facial recognition. They broadly agreed with its use in official or government contexts, while being less comfortable with its use in commercial settings.
39% are “very comfortable” using facial recognition for passport control, with a further 36% “somewhat comfortable”. 40% are somewhat comfortable (and 21% very comfortable) with the police using facial recognition for surveillance purposes.
However, 50% are not comfortable using facial recognition to make payments for retail purchases. Similarly, 54% are not comfortable with facial recognition for emotion analysis (such as during a job interview). 58% are not comfortable with the idea of companies using facial recognition to personalize advertising, and 44% do not want to see it used to track employee attendance.
Building access represents a middleground for the acceptability of facial recognition. 46% were somewhat comfortable with the idea, with 18% very comfortable and 28% not comfortable.
55% of Canadians use the same password across accounts
Anyone with a computer or a mobile phone will be familiar with passwords. But given the amount that today’s computer users need to remember—100 on average, according to a survey by NordPass—people often resort to shortcuts to make their lives easier.
55% of respondents to the GetApp survey said that they use the same password across multiple accounts. When changing passwords—such as when periodically forced to by their employer—37% admitted they change some characters but not all (so password1! becomes password2!, for example).
Using unique passwords for every device or account is widely cited as good security practice by expert bodies such as the Canadian Centre for Cyber Security. The Canadian Government also makes clear the importance of not forcing regular password resets. Its guidance for password administrators and system owners (of government information systems) says:
“Forcing users to change their password at regular intervals puts a significant burden on users and has little effect on security… [Government of Canada] system owners are therefore encouraged to require users to change passwords only when there is a good reason to do so, for example, in case of a known or suspected compromise.”
According to the survey, 31% of users change passwords regularly on a voluntary basis anyway. As mentioned above, and supported by many other entities such as the security company 1password and most security experts interviewed by Business Insider, this is not generally necessary.
Respondents have mixed techniques for remembering passwords
Given the recognized phenomenon of “password fatigue”, there exist many techniques to help users remember their array of passwords.
34% of people surveyed use an easily remembered phrase or pattern. This technique can work as it makes passwords longer, which generally means they are harder to crack by brute force. (In brute force attacks, hackers usually use software to systematically try combinations of characters that could make up a password.) However, phrases can also make passwords easy to guess if an attacker knows some personal information about the password holder, such as their birthday or family members’ names, which are commonly used as easy-to-remember information.
33% of respondents say they write passwords down on paper. This is fine, provided the place they are written and stored is safe. Storing them in a file on a computer desktop or on a note stuck to a monitor is poor practice, as anyone who gains access to the device will be able to get into locked accounts as well. One best practice is to keep them on a piece of paper in a safe place where nobody can find them.
Personally meaningful information, such as birthdays or family names, was used to create passwords by 27% of people surveyed. This can be useful in helping system users remember their password, but they should still be constructed in a manner that is difficult to guess.
Password management software helps businesses and users stay safe and productive
In order to ensure a range of unique and sufficiently hard-to-crack passwords across accounts, many experts now recommend password management software, which is used by 21% of respondents to the GetApp survey. These tools save passwords across devices and accounts, and also offer features such as auto-generation of complex passwords, auto-filling of forms on sites, and auto-updating of weak passwords. Users only need to remember one “master” key for the password manager itself.
Official guidance, however, is still to exercise caution. Password managers should not be used for highly sensitive accounts such as online banking or accounts where users have administrative privileges. The software should also be updated regularly to ensure that security patches are applied.
Two-factor authentication is used by over 80% of respondents
Experts are in agreement that additional layers of authentication are a good thing. Often referred to as multi-factor authentication (MFA) or two-factor authentication (2FA), when two layers are present, it forces anyone logging in to a device or account to provide at least two independent pieces of information to verify their identity.
Commonly, this includes a password plus an additional code. It may also involve answering a security question or submitting biometric data such as a fingerprint.
43% of people surveyed use two-factor authentication for work applications whenever it’s available, and 40% do so “sometimes”. These figures are closely reflected for personal accounts: 45% use 2FA whenever it’s available and 40% do so sometimes.
The most common method of MFA encountered among those surveyed was a security question (85%) followed by code sent via email (83%) and a code sent to a mobile device (79%). Only 13% of respondents have used biometric authentication as part of a multi-factor authentication process.
Biometric authentication is widespread across Canada. 41% of respondents have voluntarily given biometric data to private companies, but mistrust regarding how organizations will handle that data remains relatively high. Canadians favour government use-cases over commercial ones for facial recognition, and respondents are in strong favour of transparency and regulation of biometric data processing.
When it comes to passwords, “rule-breaking” in some form is widespread, and techniques to remember and create strong passwords vary widely. However, the majority uses multi-factor authentication both at home and at work, strengthening the protection of those accounts.
Data for the GetApp Biometric Technology and Password Management Canada Survey 2021 was collected in January 2021. The sample comes from an online survey of 1,007 respondents who live in Canada. The respondents were of the age groups 18 to 25 years, 26 to 34 years, 35 to 49 years, 50 to 64 years, and 65 and above years.