Passwords are dead, long live passwords

Passwords suck. Let’s not mince words here or beat around the bush. Everyone hates passwords, and they are right to do so. Passwords are the bane of our modern online existence. It’s no wonder that our collective ears perk up and we yearn to believe when we hear the phrase: password killer! Shut up and take my money!

In this article I’ll explain how we got to this awful place and how to make the best of it. I will then unveil a set of new technologies that are claiming to be “password killers” … and explain why we should avoid them at all costs. And finally, I’ll introduce you to a cute, fuzzy critter that just may save us all.

The password predicament

Let’s rewind a bit and review how we got here in the first place. As soon as we moved from the real world in to cyberspace, we were confronted with a problem: how do we know you are who you say you are? This is the problem of authentication – finding a secure, robust way to verify your identity. Note, however, that this is not the same as figuring out who you are specifically. Cyberspace offers users anonymity (or at least the possibility of anonymity). While this isn’t usually the case for financial transactions (e.g., banking, shopping), in most cases you only need to establish some sort of alias for yourself that is not tied to your name, address, etc.

Identity is typically established by one or more of the following methods:

  • Something you know (password, PIN, answers to “secret questions”)
  • Something you are (fingerprint, iris, face)
  • Something you have (badge, photo ID, cell phone)

For most of the Internet era, the available methods of authentication in cyberspace were limited. The only input device that you could guarantee everyone had was a keyboard. So the most logical form of identification, catering to this least common denominator, was the password. And here we are.

For password-based systems to work well, users must have a different password for each account and each password must not be guessable. Unfortunately, the human brain is simply not up to this task – and so most people come up with 2-3 bad passwords and use them over and over again. Hackers know this and have developed automated tools that can crack the vast majority of human-created passwords within minutes or even seconds. They start by guessing common passwords and phrases, and then every combination of words in the dictionary, song lyrics, movie titles, sports teams, common names, dates, and so on – backward as well as forward, even with some letters replaced with numbers (zero for “0”, etc.). Mere mortals just don’t stand a chance.

There exists a simple solution to this problem, however: a password manager. These helpful applications (like LastPass or 1Password ) will not only remember and automatically enter all your passwords, they will help to generate ridiculously strong passwords for each and every account you have. However, despite the obvious utility of password managers, very few people use them (as few as 8% according to a report last year by Siber Systems).

Knowing how inept people are at creating good passwords, security-conscious companies and governments have started to require two forms of “ID” now, so-called “two-factor authentication”. This usually consists of a password along with a one-time numeric code, delivered to your smartphone via SMS or generated by a smartphone application. Even if the bad guys manage to guess your password, they still need to be in possession of your smartphone to access your account. This is the current gold standard and (when implemented correctly) can provide fairly robust security. Unfortunately, it still requires that dreaded password. And passwords still suck. Surely in this era of fabulously powerful computers, sophisticated audio and video processing, and ubiquitous smartphones chock full of sensors, we can come up with something better…

Enter the password killer!

Google, the maker of the Android operating system and the Nexus and Pixel lines of smartphones, believes that it’s finally done it: they believe they have created a technology that will finally “kill” the venerable password as a primary method of authentication. Using the aforementioned bevy of sensors in smartphones, they will be able to recognize you by using a combination of your face, your iris, your voice, your location, your typing speed and style, which apps you use and when you use them, and even how you walk. Taken all together, they will develop a “trust score” – a secret algorithm for determining how likely it is that you are you. This score will be made available to your phone apps, giving them the option of foregoing a password if they’re sufficiently sure who is holding the phone. Obviously, different apps may require different levels of confidence: while Jewel Mania may be loosey-goosey, Wells Fargo will likely be pretty strict (and rightly so).

You may be thinking: how cool is that?? No more passwords! It’ll just know it’s me! But let’s step back a moment… let’s consider what’s really going on here and examine the implications.

Google’s trust score system is one of several new “password killer” technologies on the horizon. Other examples include voice recognition from companies like Barclays Bank and a new Windows 10 facial recognition feature called Windows Hello. All of these technologies are based on some form of biometric data - that is, something you are (as opposed to something you know: passwords). What these systems are endeavoring to do is come up with some way - even multiple ways - to positively and robustly identify you. Using various sensors, these systems capture all sorts of data in order to develop a “biometric signature” for you, distilling your physical essence down to a digital representation. These signatures are then stored so that the system can use it to identify you in the future - comparing the current sensor data with the stored data and determining whether they match.

Password or user ID?

In my mind, there are three main problems with the biometric approach to authentication. First of all, at the most basic level, your biometric information represents more of a user name or user ID than a password - and a rather inflexible and frail user ID at that. On one hand, unless you’re willing to mutilate yourself, you can’t change these characteristics; on the other, what if your eyes, face, or fingers are disfigured in some sort of accident? Laryngitis or even a bad cold might make your voice unrecognizable. Even though you are still you, to these systems you no longer appear to be you. Also, you’re not joecool85 on this site and therealjsw on another site... you’re Joseph William Smith. Always. Everywhere.

Privacy and anonymity

Which brings us to the second problem: lack of anonymity and privacy. With biometric authentication, there’s no way to be anonymous and no way to disassociate or isolate your identity from one site to another. That is, you want to be able to interact with some web sites but not have them know specifically who you are (anonymity). You would also like your actions on that web site to be unknown to other people and other web sites (privacy). With biometric authentication, both are impossible. In this age of global terrorism, many people seem willing to give up online privacy because they believe it will help their government keep them safe. But privacy and anonymity are necessary - not just for democracy, but for humanity. This could be an entire book unto itself, but if you don’t believe this, I would refer you to this wonderful TED talk by Glenn Greenwald. For now, let’s just agree that biometric authentication disables both privacy and anonymity.

An excellent dramatization of this effect can be found in the movie Minority Report. In this movie, Tom Cruise’s character can’t walk around anywhere without being automatically recognized by ubiquitous monitoring systems. These aren’t just government surveillance systems, they’re corporate advertising systems that are just trying to “improve the customer experience”. In the name of targeting and tailoring their advertising, they feel they must know as much about you as possible - and recognize you wherever you go, physically or virtually. However, this is no longer science fiction - it’s actually happening.

Security

The final problem with the biometrics-based authentication system is that it’s not secure enough. No system can ever be 100% secure, and so engineering the security of a system is always about trading off cost and convenience against the consequences of failure. If a hacker breaks into Amazon.com and manages to steal all of their customers’ passwords, Amazon can simply invalidate all those lost passwords and force everyone to choose a new password. But how do you choose a new face, or fingerprint, or voice? Anything digital is easy to copy or steal, and can instantly be shared around the globe. Once this information is stolen, the cat is out of the bag, the genie is out of the bottle, the digital horse is out of the virtual barn. Game over. As just one example, hackers stole over 5 million digitized fingerprints from the US Office of Personnel Management last year. Those employees can never use any sort of fingerprint-based authentication for the rest of their lives.

But that’s just one aspect to the security problem. Your biometric qualities are readily observable by others - and it’s possible to copy them using the same types of sensors that were used to capture your digital signature in the first place. Facial recognition and iris scanning systems can be fooled by a photograph. Fingerprints can be copied from something you touched . Voice recognition systems can be fooled using snippets of recorded speech. Even as the recognition systems get better, so do the tools that can be used to fool them. Also, what’s to prevent you from being coerced or tricked into providing this biometric identifying information for some nefarious other person? You don’t have to be willing or even conscious to provide a fingerprint or face scan. If you want to get really grisly, some of your physical attributes are actually capable of being stolen ( Demolition Man , anyone?).

Honestly, we’ve only scratched the surface of the problems. Who owns your biometric signatures? Where and how is this information stored? Who is allowed to access this data and what control do you have over this access? For what other purposes can this information be used? Once you opt in to this system, is there any meaningful way to opt back out?

There is still hope

While the current system of passwords and two-factor authentication is extremely painful, I’m here to tell you: biometric authentication is not the answer. And it appears that people may already realize this.

However, there are some other promising solutions. For example, a new authentication system called SQRL (pronounced “squirrel”) allows you to prove your identity to a web site using a clever challenge and response technique that only requires the user to click on an image or scan a QR code with their smartphone camera. There’s nothing for the user to enter, and therefore there’s nothing that the user has to remember. That also means that there’s nothing that the web site needs to try to store that could be stolen by hackers. And just to put the icing on the cake, you have a unique and ‘faceless’ identity for every web site - preserving your anonymity on that site, and protecting your privacy on all the others.

Things will probably get worse before they get better, but I do believe they will get better. We just have to be careful not to jump ship before we truly come up with solutions that can keep us secure while maintaining at least the possibility for anonymity and privacy.

What do you think about the future of authentication?

Now that you are at the end of my article, I would love to hear your feedback on this issue! Please leave comments and get some discussion going. I will jump in from time to time to add my two cents, and answer your questions as best I can. Thank you for reading and for taking part in the conversation.