By Michael Olson | Posted on August 02, 2013
For a long time now, information security experts have preached the importance of creating “strong” passwords, but people haven’t always listened. And let’s be honest, can you blame us? Who wants to remember yet another distinct username and password combination? 60% of us already have more than five passwords to remember, and 40% of us believe that solving world peace would be easier than remembering each of our passwords.
“Password fatigue” is definitely an irritating problem for online consumers, but it’s an even bigger and more costly one for websites. Forrester tells us that password requests comprise 20-50% of an online businesses’ volume of customer support inquiries. And each password reset request costs businesses a whopping $70 on average. Despite our over-saturation of passwords that we all must maintain, 61% of us are re-using the same password across multiple websites, making it quite ironic that we’re still forgetting our passwords so often.
Companies are throwing away money handling these types of support requests. They are placing a bandage over a vexing and particularly expensive symptom instead of addressing the problem at its core. The more fundamental question to ask is why should people be required to set up and maintain a password for each website in the first place? There has to be a better way.
When a person registers on your site using social login, it is generally unnecessary to require the user to set up a password on your site. Social login uses open standards such as OpenID and OAuth under the hood to securely authenticate users. During this process, users confirm their account credentials and choose to log in to your site via a secure permission screen hosted on domain of their identity provider. Your site would then receive an access token for the user, which can be used to sign in the user.
The password from a user’s social network account is never shared with anyone, nor do you need to ask the user to establish a password specific to your site upon sign-up, because the secure access token received via the authentication process validates that a person signing in is actually who she says she is.
So, social login means you can say au revoir to password-related support inquiries. Because we tend to use social networks and email providers such as Facebook, Google, Twitter, LinkedIn and Yahoo! on a daily basis, it is highly unlikely that we will forget our passwords with these services. And once a person uses a preferred social identity to register on a site, the sign-in process on return visits is as easy as a single click, with an optimized welcome back experience prompting people to sign-in again with the same social identity used on previous visits:
Offering social login even helps all of those legacy registered users who already have a site-specific username and password to access their account? Account linking enables existing registered users to sign in with a social identity, at which point, if a matching email address is detected in the database, the user is prompted to securely link the social identity to his existing account with the website.
Now, on future visits, your long-time registered user no longer needs to remember a username and password specific to the site, and can simply sign in with a single click using his familiar and preferred social identity.
To what extent are password-related requests occupying the time of your customer support team? Have you experimented with other tactics to reduce the support burden and help users remember their account credentials?
How to tell if your identity management is ready for the new data protection regulations…
We just released the latest member of the Janrain product family: Janrain Advanced Policy Manager…
Janrain Information Security Manager, Lisa Nicholson, shares her thoughts on why CSA Level 2 and…