Password fatigue

Password fatigue is the feeling experienced by many people who are required to remember an excessive number of passwords as part of their daily routine, such as to log in to a computer at work, undo a bicycle lock or conduct banking from an automated teller machine. The concept is also known as password chaos, or more broadly as identity chaos.^[1]

Causes

The increasing prominence of information technology and the Internet in employment, finance, recreation and other aspects of people's lives, and the ensuing introduction of secure transaction technology, has led to people accumulating a proliferation of accounts and passwords.

According to a survey conducted in February 2020 by password manager Nordpass, a typical user has 100 passwords.^[2]

Some factors causing password fatigue are:

unexpected demands that a user create a new password
unexpected demands that a user create a new password that uses a particular pattern of letters, digits, and special characters
demand that the user type the new password twice
frequent and unexpected demands for the user to re-enter their password throughout the day as they surf to different parts of an intranet
blind typing, both when responding to a password prompt and when setting a new password.

Responses

Some companies are well organized in this respect and have implemented alternative authentication methods,^[3] or have adopted technologies so that a user's credentials are entered automatically. However, others may not focus on ease of use, or even worsen the situation, by constantly implementing new applications with their own authentication system.

Single sign-on software (SSO) can help mitigate this problem by only requiring users to remember one password to an application that in turn will automatically give access to several other accounts, with or without the need for agent software on the user's computer. A potential disadvantage is that loss of a single password will prevent access to all services using the SSO system, and moreover theft or misuse of such a password presents a criminal or attacker with many targets.
Integrated password management software - Many operating systems provide a mechanism to store and retrieve passwords by using the user's login password to unlock an encrypted password database. Microsoft Windows provides Credential Manager to store usernames and passwords used to log on to websites or other computers on a network; iOS, iPadOS, and macOS share a Keychain feature that provides this functionality; and similar functionality is present in the GNOME and KDE open source desktops. In addition, web browser developers have added similar functionality to all the major browsers. Although, if the user's system is corrupted, stolen or compromised, they can also lose access to sites where they rely on the password store or recovery features to remember their login data.
Third-party (add-on) password management software such as KeePass and Password Safe can help mitigate the problem of password fatigue by storing passwords in a database encrypted with a single password. However, this presents problems similar to that of single sign-on in that losing the single password prevents access to all the other passwords while someone else gaining it will have access to them.
Password recovery - The majority of password-protected web services provide a password recovery feature that will allow users to recover their passwords via the email address (or other information) tied to that account. However, this system has itself become a target of social engineering attacks by criminals. These criminals obtain enough information about the target to impersonate them and request a reset email, which is then redirected through other means to an account under the attacker's control, enabling the attacker to hijack the account.
Passwordless authentication - One solution to eliminate password fatigue is to get rid of passwords entirely. Passwordless authentication services such as Okta, Transmit Security and Secret Double Octopus replace passwords with alternative verification methods such as biometric authentication or security tokens.^[4] Unlike SSO or password management software, passwordless authentication does not require a user to create or remember a password at any point.^[5]

Innovative Approaches

As password fatigue continues to challenge users, notable advances in password management techniques have emerged to alleviate this burden. These innovative approaches provide alternatives to traditional password-based authentication systems. Here are some notable strategies:

Biometric Authentication

Biometric authentication methods offer a seamless and secure alternative to traditional passwords, including fingerprint recognition, facial recognition, and iris scanning. Users can authenticate their identities without remembering complex passwords by leveraging unique biological characteristics. Companies like Okta and Transmit Security have developed robust biometric authentication solutions, reducing reliance on traditional passwords.^[6]

Security Tokens

Security tokens, also referred to as hardware tokens or authentication tokens, add an extra layer of security beyond passwords. These physical devices generate a one-time passcode or cryptographic key that users input alongside their passwords for authentication. This two-factor authentication (2FA) method enhances security while reducing the cognitive load of managing multiple passwords. Secret Double Octopus is a notable provider of security token solutions.^[7]

Passwordless Authentication

Passwordless authentication services represent a significant shift in authentication methods by entirely eliminating the need for passwords. Instead, these services utilize alternative verification methods, such as biometric authentication, security keys, or magic email links. By removing passwords from the equation, passwordless authentication significantly simplifies the user experience and reduces the risk of password-related security breaches. Okta, Transmit Security, and Secret Double Octopus are pioneering providers of passwordless authentication solutions.^[8]

Behavioral Biometrics

Emerging technologies in behavioral biometrics analyze unique behavioral patterns, such as typing speed, mouse movements, and touchscreen interactions, for user authentication. By continuously monitoring these behavioral signals, the system can accurately verify a user's identity without requiring an explicit authentication action. Behavioral biometrics provide a seamless authentication experience while minimizing the cognitive load associated with traditional password-based systems.^[9]

These innovative approaches offer promising alternatives to traditional password management techniques, delivering enhancements in security, usability, and user convenience. As technology advances, further progress in authentication methods will effectively address the ongoing challenge of password fatigue.^[10]

Notes

^ "Password chaos" at TheFreeDictionary
^ Williams, Shannon. "Average person has 100 passwords - study". securitybrief.co.nz. Retrieved 2021-04-26.
^ Such as digital certificates, OTP tokens, fingerprint authentication or password hints.
^ Murphy, Hannah (3 September 2021). "The start-ups trying to kill the password". Financial Times. Retrieved 2 November 2021.
^ "What is Password Fatigue and How You Can Overcome It". Transmit Security. 13 October 2021. Retrieved 4 November 2021.
^ Al-Slais, Yaqoob; El-Medany, Wael (1.1.2022). "User-Centric Adaptive Password Policies to Combat Password Fatigue". The International Arab Journal of Information Technology. {{cite journal}}: Check date values in: |date= (help)
^ Al-Slais, Yaqoob; El-Medany, Wael (1.1.2022). "User-Centric Adaptive Password Policies to Combat Password Fatigue". The International Arab Journal of Information Technology. {{cite journal}}: Check date values in: |date= (help)
^ Al-Slais, Yaqoob; El-Medany, Wael (1.1.2022). "User-Centric Adaptive Password Policies to Combat Password Fatigue". The International Arab Journal of Information Technology. {{cite journal}}: Check date values in: |date= (help)
^ Al-Slais, Yaqoob; El-Medany, Wael (1.1.2022). "User-Centric Adaptive Password Policies to Combat Password Fatigue". The International Arab Journal of Information Technology. {{cite journal}}: Check date values in: |date= (help)
^ Al-Slais, Yaqoob; El-Medany, Wael (1.1.2022). "User-Centric Adaptive Password Policies to Combat Password Fatigue". The International Arab Journal of Information Technology. {{cite journal}}: Check date values in: |date= (help)

External links

Noguchi, Yuki. Access Denied, Washington Post, 23 September 2006.
Catone, Josh. Bad Form: 61% Use Same Password for Everything, 17 January 2008.

[1] "Password chaos" at TheFreeDictionary

[2] Williams, Shannon. "Average person has 100 passwords - study". securitybrief.co.nz. Retrieved 2021-04-26.

[3] Such as digital certificates, OTP tokens, fingerprint authentication or password hints.

[4] Murphy, Hannah (3 September 2021). "The start-ups trying to kill the password". Financial Times. Retrieved 2 November 2021.

[5] "What is Password Fatigue and How You Can Overcome It". Transmit Security. 13 October 2021. Retrieved 4 November 2021.

[6] Al-Slais, Yaqoob; El-Medany, Wael (1.1.2022). "User-Centric Adaptive Password Policies to Combat Password Fatigue". The International Arab Journal of Information Technology. {{cite journal}}: Check date values in: |date= (help)

[7] Al-Slais, Yaqoob; El-Medany, Wael (1.1.2022). "User-Centric Adaptive Password Policies to Combat Password Fatigue". The International Arab Journal of Information Technology. {{cite journal}}: Check date values in: |date= (help)

[8] Al-Slais, Yaqoob; El-Medany, Wael (1.1.2022). "User-Centric Adaptive Password Policies to Combat Password Fatigue". The International Arab Journal of Information Technology. {{cite journal}}: Check date values in: |date= (help)

[9] Al-Slais, Yaqoob; El-Medany, Wael (1.1.2022). "User-Centric Adaptive Password Policies to Combat Password Fatigue". The International Arab Journal of Information Technology. {{cite journal}}: Check date values in: |date= (help)

[10] Al-Slais, Yaqoob; El-Medany, Wael (1.1.2022). "User-Centric Adaptive Password Policies to Combat Password Fatigue". The International Arab Journal of Information Technology. {{cite journal}}: Check date values in: |date= (help)