Web Informant #136, 5 January 1999:
Perplexed with PINs

http://www.strom.com/awards/136.html

This past holiday season I managed to work in a bit of surfing, and I uncovered an irritating new trend in the process. Personal Identification Numbers, or PINs, once the sole province of banks and phone cards, are being used on way too many web sites. Let me explain.

I wanted to change my primary care physician. Traditionally, I would dial my HMO (Oxford), press various keys to navigate its telephone system, wait on hold until a human finally answered, and then ask him or her to recite the list of local doctors. But this time I decided to view the list on Oxford's web site instead, thinking it would be faster. The trouble was, Oxford required me to create a PIN to authenticate my account.

Next I wanted to check the balance of my American Airlines frequent flyer account. I tried calling the airline, but with thousands of travelers stranded during this week's storm, I had trouble getting through. So I got on American's web site, only to encounter another PIN.

Finally, the same obstacle when I tried to navigate Scudder's phone system to transfer funds between accounts. With all these PINs piling up, I started imagining all sorts of problems. I'd need special software to track them all. I'd have to store them on disk or on paper. I could try to standardize on the exact same sequence of digits rather than try to remember them all. It might even be easier to create a new account than try to recall which PIN I used to set things up.

Okay, okay. I know all about security and understand why these PINs are necessary. I don't want random surfers accessing my medical records, executing trades without my approval, or redeeming my hard-earned frequent flyer miles. But PINs are painful when you need to do business quickly on the web and have never visited the site before. As an existing customer, I should be able to establish my identity quickly. If I wanted to waste time I 'd still be on hold on the phone.

To understand why found this experience so bothersome, let's take a look at how the three sites mentioned above handle PIN setup.

Oxford lets you obtain a PIN immediately if you have never had one. All you need are a few personal details (social security number, birthdate, member number) and you've got a temporary PIN that you can change later and which gives you full access to the site's features.

Not so on American Airlines' site. Although you can create a temporary PIN, you can't access your mileage account online with it. For that, you'll have to wait until they mail you the PIN via the US Postal Service. Curiously, I can call American on the phone and get this information with nothing more than my account number. Why do I have to wait on mail delivery to prove my identity over the web?

American isn't alone. United also sends you a PIN via post. Delta Airlines handles PIN set up best, letting you create a PIN with just an account number and a zip code. Scudder, in turn, offers detailed instructions on creating PINs on its customer statements. Unfortunately, I didn't read the instructions carefully and ended up calling them during business hours to get help when it came time to transfer funds.

All this is more trouble than necessary. There is a simple solution to the proliferation of PINs: it's called cookies.

I am a big fan of cookies. Unlike some nay-sayers that talk about compromising privacy, I love the convenience, the simplicity, the usefulness, the time saved, the sheer joy of those little files littering my hard disk. Do I worry about my privacy with cookies? Not for a nanosecond. Here is something I wrote a long time ago about cookies that's still relevant.

Look at what some of the better sites, such as Amazon.com and Yahoo do. They set up your identity in a cookie. Provided you use the same machine and same browser to come back to their site, they greet you by name and are ready to do business with you from the first screen forward. What a concept. No PINs to track. No hassles. Just usability at its best.

My recommendation: if you come across a site that requires PINs, make your feelings known via plenty of email to the webmaster. Get them to either make it easier to obtain a PIN (like Delta does) or banish PINs entirely and pick up with cookies for authenticating you, the customer. Otherwise, we all might take our business elsewhere.

Coda

Since writing this essay, I have become convinced that I am on the wrong track. Cookies only work if you have exclusive access to your PC: the moment you share it or use a public machine, cookies are more bother than benefit.

So what should you do? One suggestion is to use various password container programs, to keep track of your passwords. Examples abound (just search www.shareware.com for "password"), including Password Manager and Password Keeper. My favorite so far is Password Pro which is freely downloaded. It is a Windows program and can be used to contain the actual URLs along with the password for the web pages. A Macintosh $25 shareware alternative is Web Confidential. If you have Quicken99, it includes this ability to store passwords.

An alternative to these password collectors is to use an experimental site from Lucent. Called the Lucent Personalized Web Assistant, it computes usernames, passwords, and e-mail addresses on the user's behalf for sites that require registration. Think of it as a password proxy server, which is basically how it operates. Unlike the collectors, there is no software to download to your hard disk, just a small change in your browser configuration to connect to the proxy.

If you are still interested in cookies, one way to take better control over which sites you allow to send them to you is called Cookie Pal.

Finally, there is Compuserve's solution called Remote Passphrase Authentication (RPA). It currently works only with NT/IIS and Solaris Netscape web servers. There is a good explanation of the problem here on their site.

David Strom
david@strom.com
+1 (516) 944-3407
back issues
entire contents copyright 1999 by David Strom, Inc.
Web Informant is ® registered trademark with the U.S. Patent and Trademark Office