Learning Center

// -->

Password-Less Authentication

We all know passwords are broken. We all also know that even though we shouldn't, we use the same easy-to-remember passwords for pretty much everything that needs a password.

You may be slightly more sophisticated and use a password generator like 1Password which makes creating and remembering unique passwords easy.

Even then, though, they can be guessed, cracked by brute force, stolen with a key logger or reset completely by a social engineering hacker conning a company’s technical support department.

Even the best passwords can easily be overcome. We know this because we all watched the John Oliver and Edward Snowden interview where they talked about how "Bad passwords are one of the easiest way to compromise a system – for somebody who has a very common 8 character password – it can literally take less than a second for a computer to go through the possibilities and pull that password out."

You have to imagine that Edward Snowden being a former CIA contractor knows all about these kinds of things.

When security consultant Mark Burnett compiled a list of the 10,000 most common passwords based on easily available sources (like passwords dumped online by hackers and simple Google searches), he found the number one password people used was, yes, "password."

The second most popular? The number 123456. Even after being told for years that we should not, we all still use lousy, predictable passwords.

It is common these days to come across two-factor authentication when using Gmail or Facebook. This usually involves registering a mobile device, and adds another step to the authentication process, reducing the chance of an unauthorized person accessing your accounts.

But of course, most people turn this off because it's far too annoying and frequently stops the account owner from accessing their account if they do not have their mobile handy.

If you are really paranoid about protecting your customer accounts, you can offer multifactor authentication with tokens and dongles, which do keep things much more secure than a password alone.

But for a lot of small businesses, the cost of implementing this kind of security can be prohibitive, and many small businesses prefer to rely on security through obfuscation, which is not sensible at all anymore in this day and age.

There is certainly lots of passwordless alternatives on the horizon and fingerprint-based authentication has been around for years. Perhaps the most high-profile example of password-less authentication is the Touch ID fingerprint recognition system for iPhones, introduced with the iPhone 5S in 2013.

In addition to fingerprint-based authentication, many smartphones now support authentication via voice recognition and iris or facial scans, but we still have not seen these become a common enough standard that they allow you to open your Gmail or Facebook account by winking at the screen, which is a huge shame because I would quite like to wink at the screen and have it fill out the username and password box for me.

You will be happy to learn that it seems mankind (Intel, Google and Facebook anyway) is declaring war on the password and seems determined to vanquish it at long last, but do not hold your breath because passwords are never going away, they will just become one of the ways we access our online accounts in conjunction with another physical means of authenticating who we are.

Intel for instance is working on an interesting authentication technology for consumers called True Key, which lets your PC or device recognize you by using multiple things unique to you, such as your phone, tablet or fingerprint to automatically log in to websites and applications. True Key just came out this January and is still in beta, so we are a long way off from our desktops PCs knowing it's us and logging us into Facebook.

Even when that moment does come, it is very unlikely that passwords will disappear completely. Whilst they suck for single factor authentication on their own, they are still a very handy way of providing a barrier between your digital life and strangers and even better when backed up by something else like an RSA token.

We are shortly about to usher in the age of injectable, embeddable and ingestable technologies, which are already being hailed as the future of identification for online purchases and transactions. Imagine PayPal sending you a pill once every six months that when ingested gives you the ability to log into your PayPal account without ever entering a password.

Or perhaps imagine your bank injecting you with a chip which lets you access your money at ATMs. Not so far fetched when you think about it and there is already a large online community dedicated to sub-dermal technology implants. The password-less future may not be far off.

Until then, here is an excellent Lifehacker article on "how to create a a secure password that you will actually remember." I think you will need it for a while longer.