The End of Passwords? |
Passwords were never a great idea. According to one account, the first computer passwords were used in 1963. According to another one, the first theft of passwords happened in 1962. That could almost be true. They’ve never been an especially good way to protect accounts. If you use a password you can remember, somebody else can guess it. If you use a really strong one, you have to write it down, and they you can lose it or somebody can steal it. When you need passwords for fifty different accounts, the situation really gets hopeless. Will future technology give us a better approach?
Two-factor authentication helps some. It assumes your password isn’t secure, so it asks for something else as well. Maybe it texts your cell phone with a code, or maybe it checks your eyes or fingerprints. But if a system doesn’t trust your password, why use it at all? In ten years, passwords may be as obsolete as rotary phones — or maybe not. There are more trustworthy ways to verify who you are, but they have their own problems.
Biometrics, the identification of some part of your body, are more promising. Checking your thumbprint or face can identify you reliably, and the technology is constantly improving. Iris recognition is an especially promising technology. Getting an image of your eye’s iris with a camera isn’t intrusive, and it won’t change much over time. Recognition software can verify that it’s looking at a live person and not a photograph.
For biometric recognition to become universal, the hardware has to be universal. Cameras are becoming standard on more and more devices, but they have to be able to zoom in close to get an iris scan. We aren’t there yet.
Any system that checks “who you are” rather than “what you know” will run into problems in some situations. Sometimes you want to be anonymous on the Internet but still protect your account. People will be concerned that if every site they visit knows who they are, the sites will trade information back and forth, and they’ll have no privacy at all. Knowledgeable people have declared biometrics “a grave threat to privacy.” You can change your password, but you can’t change your eyes.
A more private alternative. in spite of its name, is public-key authentication. You use this all the time for secure Internet connections, even though you don’t notice it. This approach creates two long binary keys for an identity. One belongs just to the person who owns it, and no one else should ever see it. The other is freely available, and serves to verify that a message comes from someone who has access to the private key. The private key, unlike a password, is never sent to the server. This is a strong method of authentication, even more reliable than biometric scans.
It has a portability problem, though. People want to be able to sign in from anywhere. They can do this only if they carry something, such as a USB stick, which has their private key on it, and then they could lose it. Even on someone’s home computer, it’s an easy target for malware to grab. Usually it’s protected by a password, but then we’re back to protection which is no stronger than the password. Besides, there are a lot of devices you can’t plug a USB stick into.
The combination of a cell phone application and a private key might offer a useful answer. If the key is stored in a way that’s accessible only to a trusted application, it could provide confirmation of any authentication attempt. If done right, it would be very difficult to steal the key from the phone. The problem is that if you lose the phone, you’ve lost all your access.
Passwords are a bad solution, but we may be stuck with them for a while, We can expect to see biometrics become a bigger factor, especially for high-value accounts such as online banking. Until someone comes up with a method of authentication that’s both private and secure, all choices will have problems.