How To Make Passwords Obsolete
Why do we still rely on the human-memorized password for authentication? Here are seven alternatives worth considering.
![](https://eu-images.contentstack.com/v3/assets/blt69509c9116440be8/bltd26062098198acc0/64cb56de95ed854f7ae82325/password-397656_1280.jpg?width=700&auto=webp&quality=80&disable=upscale)
We've all complained about passwords for years, yet very little has changed. If you had asked me five years ago about the future of the username and password authentication mechanism, I would have proclaimed that the practice would be long dead by now. And I would have been wrong.
That raises two questions: Why do we still rely on the human-memorized password for authentication, and what methods are out there that could finally render it obsolete?
On the following pages, we'll talk about seven of the top password alternatives. Some of these methods, such as fingerprint and facial recognition, have been around for a while, but are being implemented in new areas. Other forms of authentication leverage the popularity of social networking, using our Facebook or Twitter accounts to let us access other applications on the Internet. Still others let us use our smartphones as an authentication mechanism. Whether through the use of geolocation identification, NFC/Bluetooth transmissions, or other app-based authentication, smartphones and other smart devices can act as a set of virtual house keys that grant us access to all of our protected digital assets.
In order for many of the authentication methods presented here to work, there needs to be a change in philosophy in terms of what levels of security are needed. Risk levels need to be determined on a per-application and per-authorization level. If risk levels are low, perhaps a simplified authentication method will suffice. When risk levels are high, by all means lock it down like Fort Knox.
The point is that the password is no longer the best way to authenticate users. Now, it's a matter of choosing the right authentication method for your system or application and implementing the authentication tool that best suits your needs. Check out these promising authentication methods, and tell us in the comments section below whether you think any of them can actually replace the password.
The ability to be identified within a particular geographical area using geolocation or inside the boundaries of a defined trusted area using RFID could one day be used for authentication of all types. This approach combines the "something you have" possession factor of a smartphone with a "somewhere you are" factor, which may be sufficient for many authentication scenarios.
One-time passwords (OTP) have been around for a while. This authentication method requires the user to log in to receive a unique, one-time password, typically though a text message that's sent to a phone number the user has registered to the application. The user then enters the OTP as a second authentication step. Only after authenticating twice will the user have access to the application. At SXSW 2015, Yahoo announced that it is eliminating the first step of the process, effectively eliminating the need to remember any kind of password. Instead, once the account is set up with an authorized device, the user will be able to request the OTP without the need to enter a primary password.
The fact that desktop and notebook operating systems did a poor job of implementing alternatives like biometrics is one of the reasons it's been so difficult to find alternatives to the username/password authentication model. Mobile devices took a far more aggressive approach and many, if not most, new smartphones easily support biometric authentication of some sort right out of the box.
Sensing that biometrics are sufficient -- and mainstream enough -- for other devices, too, Microsoft reportedly spent a great deal of time and energy to incorporate Windows Hello into its Windows 10 operating system. According to the Windows blog: "Our system enables you to authenticate applications, enterprise content, and even certain online experiences without a password being stored on your device or in a network server at all." The biometrics mentioned include fingerprint, facial, and iris scanning recognition.
Near Field Communications (NFC) and Bluetooth Low Energy (BLE) are being considered as password alternatives. With the latest wireless smartphone technologies, it is conceivable that simply possessing a device would be considered credential enough to authenticate to other systems or applications. One major issue is the real potential for smartphones to be lost or stolen. But what if your NFC or BLE device were strapped to your wrist or even attached to your body?
In March, the Internet Engineering Task Force (IETF) posted RFC 7486, titled "HTTP Origin-Bound Authentication (HOBA)," which it touted as a true alternative to HTTP authentication that requires passwords. According to the document, the idea behind HOBA is to use digital certificates, similar to the digital certificates we use for authenticating to websites today. The difference, however, is that HOBA certificates are unique to each user, and they do not require user interaction to allow the browser to use the certificate or for users to authenticate with a username/password combination. All human authentication interaction is handled on initial registration. From then on, the uniquely created digital certificates handle authentication between the device and server.
More of a concept than an authentication method, risk-based authentication is the idea that authentication security should be evaluated by risk. Only after a risk rating is assigned should the appropriate authentication method be determined.
This approach has merit, as password alternatives offer varying levels of security. For example, you're likely not going to allow users to access mission-critical business applications using Facebook accounts. But certain forms of biometrics or trusted environment authentication may be considered. It all boils down to the risk involved if the authentication method is compromised. Once you look at authentication in this way, you may find that there are relatively few uses that require sophisticated and hardened authentication.
The technology is available to let us eliminate the password forever. The key will be in proper implementation of these authentication mechanisms so that we're choosing the right method for each job. If handled properly, we can finally put to rest our need to stick our multiple passwords on Post-it notes.
-
About the Author(s)
You May Also Like