Multiple passwords, IDs have become gatekeepers of modern life – is there a simpler solution?

In December 2018, Gerald Cotten, the founder of cryptocurrency exchange Quadriga CX, died at the age of 30 while on his honeymoon in India – and with him vanished the only keys to access $145 million worth of cryptocurrency held for customers.

Court documents filed by Cotten’s widow said he had encrypted information related to the operations of his cryptocurrency exchange and that she did not have any of his passwords. Though investigators later concluded that Cotten had been running a ponzi scheme, his widow claimed she knew nothing about his business activities.

Though Cotten may have taken his passwords to the grave (conspiracy theories claim he is alive), Telecom Regulatory Authority of India Chairman RS Sharma was far less guarded about revealing personal information to the world – to his peril.

In July 2018, Sharma posted his Aadhaar number online in an attempt to demonstrate that the government-run identity system was so secure, no problems would arise if such details became public. It did not take long for social media users to use it to dig up his income tax personal account number, age, alternate phone number and other private information.

Modern life revolves around dozens of passwords that simplify myriad tasks, which might otherwise have taken much longer. But these incidents reflect how important – and vulnerable – passwords and IDs are in the internet era.

These combinations of letters, numbers and punctuation signs control careers, health, academics, entertainment, finance, travel, social networking, household amenities like power and water, purchases, tax payments and even citizenship.

Smartphones, through which most of these services are accessed, are also password-protected. Technology has made life easy, but with a huge downside.

Until the last decade or so, one’s identity was their name and residential address. Now, this has been substituted by user IDs and passwords, purportedly ensuring security in an insecure world.

Passwords enhance user convenience, ensure privacy and secure digital trails. They prevent unauthorised access to personal and sensitive information. This security is critical for banking, healthcare and government services, where the confidentiality and integrity of data is paramount.

Unfortunately, every online platform has different criteria for setting passwords. Many online services enforce strict password policies, requiring users to create complex passwords that include a mix of uppercase and lowercase letters, numbers and special characters. Platforms and service providers have not agreed upon standard practices and mandate regular password changes.

This is to enhance security but it complicates matters for users who must regularly update passwords. Unlike a person’s name, IDs and passwords are numerous and recalling them is challenging – the resulting stress and anxiety is called “password fatigue”. As a result, some resort to risky practices of using weak passwords, reusing passwords, or writing them down.

I tried reducing this cognitive burden by creating a Microsoft Word document listing all my usernames and passwords, but that too had to be secured by another password.

Is there a solution?

Simplifying the management of multiple credentials to some extent are “password managers”, which store passwords to various websites while requiring the user to remember only the master password. Also useful are single sign-on solutions – authentication services that allow users to log in to multiple applications or systems with a single set of credentials. This, for instance, would allow a user to access a host of Google products as well as third-party services through one account.

Given the availability of such options, Indian regulators, such as the Ministry of Electronics and Information Technology and their executive arm, CERT-In (Indian Computer Emergency Response Team), should initiate a discussion with their international counterparts such as The United Nations Information Security Special Interest Group or European Union Agency for Cybersecurity to resolve this global challenge of multiple credentials.

Like India’s Aadhaar, could there be a universal and unique username and password that could be used across platforms without modifications?

In addition to users being helped to manage their passwords, there should be solutions for legal heirs to recover and access personal accounts if a user dies. That could help prevent a repeat of the Gerald Cotten problem.

Another option is an authentication method that does not require a password. Technologies such as WebAuthn and FIDO2 enable secure and password-free login using cryptographic keys and biometric data.

Promoting and embracing such techniques will make online engagement truly seamless.

Vishnu C Rajan is a faculty member specialising in Operations Management in the Department of Humanities and Social Sciences at the Indian Institute of Technology Tirupati. His email ID is vishnu@iittp.ac.in.