Consumers are tired of overly complicated password-based security that frequently blocks them from buying things online or signing up for services, according to a new Ponemon report.

Over 60 percent of consumers told the Ponemon Institute they would rather have a single multi-purpose identity credential to verify their identity instead of dealing with multiple username and passwords with different rules for each site, Larry Ponemon, founder of the Ponemon Institute, told SecurityWatch. The "Moving Beyond Passwords: Consumer Atttitudes on Online Authentication" report examined how consumers in the United States, United Kingdom, and Germany viewed existing authentication schemes and their willingness to use other methods even if they require a bit more work to use

Around 70 percent of the respondents felt that a single multi-purpose identity credential would be more convenient than the current password/username system and 46 percent said it would be more secure. There were some geographic differences in what form the multi-purpose credentials would take, with U.S. consumers preferring to use their mobile devices, U.K. users leaning towards smart cards and other identity cards, and the German users looking towards biometric devices, Ponemon said.

“The good news is that there is a new sense of willingness to try emerging technologies and more complex identity verification systems to fix this broken system," said Ponemon.

Something Better than Passwords

The survey results suggest that Internet consumers are much more savvy and aware of online security than the security industry currently gives them credit for, Philip Dunkelberger, CEO and founder of security company Nok Nok Labs, told SecurityWatch. There are plenty of options, including biometrics, tokens, and smartcards, just to name a few, and the consumer is willing to try them if they were made available and trusted, he pointed out.

More than 60 percent of respondents said they've been locked out of Internet sites because they forgot the password, the username, or the answer to the password hint question. Half also said many sites and services took too long to reset the login credentials. Nearly 70 percent of U.S. and U.K. respondents complained that passwords are too long or too complex.

"It’s time we evolved our thinking about how businesses authenticate their customers," Dunkelberger said.

Respondents are becoming much more security savvy, Ponemon said. According to the report, about 46 percent of U.S. users distrusted systems or websites that relied only on passwords for security. That number jumped to 65 percent among Germans. About 46 percent of U.S. users and 61 percent in Germany avoided using websites that they considered to have "easy identity and authorization procedures," Ponemon said.

"What users are saying is, 'Hey, we get enough about security now that we think there should be more than just a username and password around some of the things we do,'" said Dunkelberger.

Users said financial institutions, such as banks and credit card and Internet payment providers, had the best online validation mechanisms in place. Most respondents are comfortable with using biometrics, and believe it is acceptable for trusted organizations, such as banks, credit card companies, health care providers, and governmental organizations to use voice or fingerprints to verify their identity, the report found.

At SecurityWatch, we've said time and again how passwords need to be strong and complex, and why we should avoid reusing passwords across several services. While it would be nice to see biometrics gain traction, such as EyeVerify and HeartID, we can't really leave passwords behind yet. If you need help keeping track of your password collection, it's time to look into a password manager such as LastPass.

Further Reading

Security Reviews