Users Prefer Device Fingerprinting to Passwords

The latest data protection and information security survey conducted by the independent Ponemon Institute suggests that consumers would be willing to let Big Brother encroach a bit on their individual computing devices in exchange for more online security and lot less memorization of pesky user names and passwords.

Of the 551 participants who responded the Traverse City, Mich.-based researcher’s online survey, 70 percent said they’d be willing to have their computers authenticated by an online merchant before purchases are completed and 75 percent of those surveyed said that computer authentication is preferred because it’s more convenient than remembering passwords or answering pre-selected questions.

According to a 2007 password study by Microsoft, the average person has 6.5 Web passwords, each of which is shared across almost four different Web site. The study also found that each user has about 25 accounts that require passwords and he or she types an average of eight passwords a day.

If this particular study and it’s relatively small sample size is indicative of how the majority of consumers feel, so-called device fingerprinting software and technology developed by the likes of Los Altos, Calif.-based ThreatMetrix will soon find a much larger market with e-tailers, online payment processors and even social networking and e-dating sites.

“Actually, I did find the responses a little surprising,” said Larry Ponemon, chairman and founder of the Ponemon Institute. “The responses were overwhelmingly positive and it’s clear people are becoming more comfortable with technology that can authenticate their machines.”

The idea of allowing a third-party Web site to use a software that would then report back the IP address, browser and physical location of a PC or mobile device still strikes some as an invasion of privacy. However, the notion of divulging personal information such as a mother’s maiden name or the last four numbers of a social security number apparently bothers Internet users even more.

In 2008, the Georgia Tech Information Security Center estimated that as many as 15 percent of personal computers were part of a botnet, up from 10 percent in 2007. E-commerce sites, dating sites such as eHarmony and as well as banks and payment processing centers are increasingly looking at device authentication technology as yet another tool in their ongoing war with hackers, spammers and other garden-variety malfeasants.

“The thing I’ve learned over a number of years is that timing is everything,” said Tom Grubb, vice president of marketing at ThreatMetrix. “I really feel like it’s the right time for this technology. It can help you identify who is a good guy and who is a bad guy without invading anyone’s privacy. The bad guys know that they have to try to act like a good guy and that leaves a trail that we recognize to help protect your network.”

In its report, the Ponemon Institute also found that 78 percent of users think online merchants, banks and social networks should use technology, such as a cookie or other invisible software, to protect consumers’ identities. Only 21 percent of those surveyed want online vendors to require more personal data from the consumers themselves.

According to CyberSource, 7 percent of e-tailers with more than $25 million in annual sales are using device fingerprinting software and another 47 percent said they plan to implement it by year’s end.

“What they’ve come to realize is that previous methods for authenticating credit card transactions and IDs are failing,” said Alisdair Faulkner, vice president of product development at ThreatMetrix. “This technology identifies the device and gives you another tool to use with other security technologies and processes to secure all these transactions.”

News Around the Web