Anticipating The Future of User Account Access Sharing

Roughly one in three teens share passwords as expressions of trust, much like giving out school locker combinations. Adults also share credentials for practical reasons—Netflix accounts, admin passwords, family email. Future tools will need to support shared access with privacy and auditability features.

We might learn what the future holds for information technology by observing how teens use IT. After all, a decade or so from now, today’s teenagers will be consuming, influencing and creating a significant portion of IT products and services. In this note I’d like to consider how today’s use of shared user accounts among teens might influence our future access restriction practices.

User Account Access-Sharing Among Teens

A New York Times article by Matt Richtel discussed teens’ customs of “sharing their passwords to e-mail, Facebook and other accounts. Boyfriends and girlfriends sometimes even create identical passwords, and let each other read their private e-mails and texts.” Exchanging something as intimate as logon credentials is a way of expressing affection for each other, Matt explains. This is also a way of expressing trust for each other, because of the potential for the person misusing access if the relationship goes sour.

The article references Sam Biddle from Gizmodo, who called password-sharing

“a lynchpin of intimacy in the 21st century.”

In a blog posting on this topic, danah boyd, who researches teenagers’ social media use, likened access sharing among teens to giving out one’s school locker combination to friends. She also referenced a study by Pew Internet & American Life Project, which found that “roughly one in three online teens (30%) reports sharing one of their passwords with a friend, boyfriend, or girlfriend.”

Such practices are the result of “parental online safety norms,” says danah. She elaborated:

“With elementary and middle school youth, this is often a practical matter: children lose their passwords pretty quickly. Furthermore, most parents reasonably believe that young children should be supervised online. As tweens turn into teens, the narrative shifts. Some parents continue to require passwords be forked over.”

User Account Access Sharing Among Adults

In reality, adults frequently share user account access as well, though our practices are tinted by the guilt of violating modern societal norms and corporate security policies:

• You might give our colleague a password to the accounting system, so she can perform business-critical duties while you’re on vacation.
• You might store shared Administrator account password in a spreadsheet on the internal IT team SharePoint site.
• You might borrow your spouse’s iPhone when running out for an errand, because you cannot find your own in the rush to leave.
• You might allow your friend to login to your Netflix account to share the joy of legal Internet movie streaming.
• You might be privy to our parents’ email account passwords, so you may help make sense of the data overwhelming their inboxes.

Implications for the Future of Information Access

Societal norms are continuing to adjust, as information systems gain a more profound presence in our lives. Teens are at the forefront of this change, because they have grown up in the world where computers, mobile devices and the Internet is everywhere. Their account-sharing practices, when compared to the limited but still significant sharing among adults, suggest that we’ll become more accepting of sharing account access.

What does this mean for information technology and security professionals? Nothing for the short-term horizon, as these changes will be gradual. But there will be an increasing need for tools, applications and policies that support shared access in a way that somehow provides an element of privacy or auditability. Here are a few examples of what we have today to illustrate that we are already moving in that direction:

• Gmail allows its users to delegate access to their email accounts.
• HTC’s Sense phone supports Guest Mode, which restricts “what can be accessed if someone else is browsing their device.”
• Several password vault products support shared access to logon credentials in an enterprise environment.
• Facebook allows its users to recover forgotten passwords with the help of their friends.

What form will shared access controls take ten years from now? I don’t know, but I bet it will be more more elaborate and sophisticated than what we have today.