Contact Us


Disruptive Competition Project

655 15th St., NW

Suite 410


Washington, D.C. 20005

Phone: (202) 783-0070
Fax: (202) 783-0534

Contact Us

Please fill out this form and we will get in touch with you shortly.
Close

Forget the Password: Time to Bring Authentication to the 21st Century

· February 15, 2013

Categories

The password should have been on its way to obsolescence decades ago, but yet it continues to be the main mechanism of authentication — an outdated tool, yet necessary for innovative new devices, services, and apps.  Fortunately, several new research projects were announced this week to work toward fixing inherent problems with passwords.

For decades alphanumeric passwords have been used to protect online identities and information, coupled with what is generally a reused username or email address.  There are best practices for making “strong passwords” that cannot easily be guessed (see also the classic XKCD comic on password strength), but even these are not impenetrable from hacking, or from being subverted through “social engineering” with a company representative, thanks to the public availability of most the personal data required for an account’s associated security questions.  For more on this phenomenon, Mat Honan’s stories in Wired about being hacked, and then calling for the death of the password, are a must-read series.

Fortunately, authentication mechanisms are finally being brought into the 21st century.  On Tuesday, several new password initiatives were announced:  the private FIDO Alliance (short for Fast IDentity Online), and a new public program from DARPA (the Defense Advanced Research Projects Agency) called the Active Authentication program.  They both seek to take advantage of innovation in multiple forms of authentication, including various types of biometrics.  DARPA has been researching and developing tools for protecting desktops, and is now additionally expanding its efforts to build solutions for mobile devices, “using biometrics to secure mobile devices using apps, sensors and other resources unique to these platforms.”  FIDO is an alliance among Internet companies, system integrators, and security providers to encourage interoperability:

The FIDO Alliance plans to change the nature of authentication by developing specifications that define an open, scalable, interoperable set of mechanisms that supplant reliance on passwords to securely authenticate users of online services. This new standard for security devices and browser plugins will allow any website or cloud application to interface with a broad variety of existing and future FIDO-enabled devices that the user has for online security.

Until passwords are replaced, one important practice is to add (at least) another level of authentication, by requiring more than just a single password to access a service; for example, maybe you enter a password and then a second code is texted to your phone for you to have to enter.  Certain services already allow this, and you should go turn on two-factor authentication for every service that has it — your email, your bank, your cloud storage, etc.

Authentication mechanisms are increasingly taking advantage of the many ways people can be identified and distinguished: biometrics that scan body parts like eyes or fingerprints, patterns of interaction with technology like how you type, and also more advanced behavioral and cognitive biometrics like semantic and linguistic recognition technology.  There are also physical token-based authentication devices (read: basically a real life secret decoder ring).

Other researchers and commentators have recognized flaws with the current username-and-password system, and the importance for innovation in these areas for users, and the people who develop the products.  Just like companies can compete based on their terms of service and privacy policies, companies can compete on the level of security they promise users.  It’s yet another area where companies can distinguish themselves through innovative approaches.

Innovation

New technologies are constantly emerging that promise to change our lives for the better. These disruptive technologies give us an increase in choice, make technologies more accessible, make things more affordable, and give consumers a voice. And the pace of innovation has only quickened in recent years, as the Internet has enabled a wave of new, inter-connected devices that have benefited consumers around the world, seemingly in all aspects of their lives. Preserving an innovation-friendly market is, therefore, tantamount not only to businesses but society at large.

Privacy

Trust in the integrity and security of the Internet and associated products and services is essential to its success as a platform for digital communication and commerce. For this reason we’re committed to upholding and advocating for policymaking that empowers consumers to make informed choices in the marketplace while not impeding new business models.