Consumers reportedly dissatisfied with online security

Passwords are not enough, study says

The results of a survey conducted by Gartner and shared with IDG News Service show that online consumers are growing frustrated with the lack of security provided by banks and online retailers, and feel that passwords are no longer sufficient to secure their online transactions.

The findings are the latest conclusions drawn from a survey of 5,000 adult Internet users, which concluded in April and show that online consumers want providers to offer more than just passwords to protect online accounts, and that concerns about a lack of security may be hampering the growth of online commerce, according to Avivah Litan, a vice president and research director at Gartner.

According to the data, almost 60 percent of those surveyed by Gartner said they are concerned or very concerned about online security. Even more important for online retailers: Over 80 percent of those surveyed said they would buy more from an online vendor who offered them more than just a user name and password to protect their accounts, she said.

"The data shows that consumers want more than passwords," she said. However, there are limits to how far consumers will go to secure their online activities, Litan said.

When asked to choose among technologies to supplement password protections, respondents gave high ratings to low-tech options such as challenge and response features that ask shoppers to provide responses to tailored questions, or shared secret technology that displays shopper-selected images on Web pages to prove the authenticity of e-commerce Web sites. More complicated solutions like security software downloads or so-called "multifactor authentication" that couple smart cards or USB (Universal Serial Bus) tokens with user names and passwords were less popular, Litan said.

The most popular choice for fixing the security of online shopping and banking sites is for providers to be made legally responsible for strict security measures, she said. Also, those surveyed by Gartner indicated that they want the choice of using stronger authentication, but do not want to be forced to use it.

"Our data shows that consumers think the system is easy to use, but they want something that gives them added protection," she said.

Banks and online retailers in the U.S. have lagged behind their counterparts in the European Union and Asia in using strong authentication to secure online transactions, including smart card technology and one-time passwords, she said.

Gartner predicts that by the end of 2007, more than 60 percent of banks in the U.S., but fewer than 20 percent of banks worldwide, will rely on simple passwords for retail customer authentication.

But that may change, especially as retailers and banks contend with a wave of sophisticated online scams known as "phishing attacks" that lure customers to phony Web sites and steal their account and financial information, she said.

Recently, U.S. Bancorp. said that it will use a hardware-token based authentication service from VeriSign Inc. to secure access to commercial banking services for its customers, and may soon introduce a similar service for consumer banking customers.

"We're getting more calls from banks and other providers that are looking to protect their customers and give them added security. They're worried that consumers are losing confidence in the online channel," she said.

Gartner will publish a research note on consumer authentication options in the near future, Litan said.