I like this new initiative from PayPal and Lenovo. With little software installation it basically turns every device into a random password generator providing another authentication factor. It’s hard to know whether phishing and brute force password hacking are still prevalent issues since most of the data are from solution providers’ FUD campaigns; my view is that the problem is real, however not as big and complex as it’s made to be. Based on my experience in PayPal most hacking activity can be detected through probabilistic means rather than assigning the consumer with more secrets. You can read more about that here.

Will this solution prove useful? Having an app to automatically contribute an authentication factor removes some part of the human factor in the equation, and that is a lot of potential security breaches. No argument there. Still the biggest problem in access control is the human factor, and that is what makes defending against it so complicated, and turns additional authentication factors into a limited solution: people forget, and more often, they compromise themselves.

No matter if simple or complex, secure or un-secure (actually ,more so when secure and complex): if there’s a password, users will forget it, and you will have to offer some kind of password retrieval flow that may not require the secured device. Once you allow going around that requirement, it will be used by fraudsters to access accounts.

The bigger problem is that users compromise themselves. They give their credentials to others, they give their devices to their kids, they use shared devices to access confidential information. They do that because it’s what they need to do in their day to day, this is how they need to use your product. Many times there’s no alternative to sharing credentials since the product itself doesn’t allow shared use (multiple users with different permissions on a mobile device? Hard to imagine) but even when such solutions exit they are hard to use and aren’t taken up by consumers . A good example is shared/linked prepaid child accounts that get loaded with cash by parents. While these solutions exist, their use is rudimentary unless the child already has an established, separate financial relationship. It’s so much easier to just give the kid your card.

The bottom line is that usability trumps security, at least the type of security that adds barriers and authentication factors. The industry is long due on moving to behavioral and probabilistic measures to provide online security, but is definitely lagging. Until such knowledge gets properly dispersed, which may take years, and as a mid-way solution, I definitely like what PayPal and Lenovo are doing.