Forget the Password: Time to Bring Authentication to the 21st Century
The password should have been on its way to obsolescence decades ago, but yet it continues to be the main mechanism of authentication — an outdated tool, yet necessary for innovative new devices, services, and apps. Fortunately, several new research projects were announced this week to work toward fixing inherent problems with passwords.
For decades alphanumeric passwords have been used to protect online identities and information, coupled with what is generally a reused username or email address. There are best practices for making “strong passwords” that cannot easily be guessed (see also the classic XKCD comic on password strength), but even these are not impenetrable from hacking, or from being subverted through “social engineering” with a company representative, thanks to the public availability of most the personal data required for an account’s associated security questions. For more on this phenomenon, Mat Honan’s stories in Wired about being hacked, and then calling for the death of the password, are a must-read series.
Fortunately, authentication mechanisms are finally being brought into the 21st century. On Tuesday, several new password initiatives were announced: the private FIDO Alliance (short for Fast IDentity Online), and a new public program from DARPA (the Defense Advanced Research Projects Agency) called the Active Authentication program. They both seek to take advantage of innovation in multiple forms of authentication, including various types of biometrics. DARPA has been researching and developing tools for protecting desktops, and is now additionally expanding its efforts to build solutions for mobile devices, “using biometrics to secure mobile devices using apps, sensors and other resources unique to these platforms.” FIDO is an alliance among Internet companies, system integrators, and security providers to encourage interoperability:
The FIDO Alliance plans to change the nature of authentication by developing specifications that define an open, scalable, interoperable set of mechanisms that supplant reliance on passwords to securely authenticate users of online services. This new standard for security devices and browser plugins will allow any website or cloud application to interface with a broad variety of existing and future FIDO-enabled devices that the user has for online security.
Until passwords are replaced, one important practice is to add (at least) another level of authentication, by requiring more than just a single password to access a service; for example, maybe you enter a password and then a second code is texted to your phone for you to have to enter. Certain services already allow this, and you should go turn on two-factor authentication for every service that has it — your email, your bank, your cloud storage, etc.
Authentication mechanisms are increasingly taking advantage of the many ways people can be identified and distinguished: biometrics that scan body parts like eyes or fingerprints, patterns of interaction with technology like how you type, and also more advanced behavioral and cognitive biometrics like semantic and linguistic recognition technology. There are also physical token-based authentication devices (read: basically a real life secret decoder ring).
Other researchers and commentators have recognized flaws with the current username-and-password system, and the importance for innovation in these areas for users, and the people who develop the products. Just like companies can compete based on their terms of service and privacy policies, companies can compete on the level of security they promise users. It’s yet another area where companies can distinguish themselves through innovative approaches.