Security-related issues have come to the fore recently and focused a harsh light on some of the methods that companies use to try and protect your data and/or identity. The consistent theme throughout virtually all these methods is the use of passwords and the problems associated with them.
Recent efforts have been focused on using more challenging passwords that contain a minimum number of capital letters, non-alphabet letters and so on. There’s also a lot of attention being paid to two-factor authentication, which often boils down to having two different passwords (although, sometimes one is supplied by an outside party). The simple fact of the matter is that passwords are a horribly outdated, unnatural way of trying to secure data. They are clearly a solution designed by engineers for other engineers, yet have managed to survive and seep into our consciousness to the point where many people think they’re the only realistic option.[pullquote]Passwords are a horribly outdated, unnatural way of trying to secure data. They are clearly a solution designed by engineers for other engineers.”[/pullquote]
Real people, on the other hand, don’t mesh particularly well with passwords. We’ve all heard the stories about the horrendous over usage of the most common passwords (12345, pa$$word, etc.), but even people who figure out clever password combinations can’t typically remember more than about 1 or 2 of them. So, they keep using those same clever passwords over and over, which defeats the purpose of clever passwords in the first place. Given the increasing number of places where some type of log-in are becoming necessary, this model also doesn’t scale particularly well.
There have been a few attempts to break out of our password-dependence over the last several years—notably through fingerprint readers—but they’ve yet to move into regular usage for most people. Plus, even people who use them only tend to do things like log into a single device—not all their devices or all their services or all their data stores. And, in my experience, even some of the better ones—including Apple’s TouchID—are far from consistent and far from perfect, especially when you use them for a while.
As a result, I believe it’s way past high time to get something that we can predictably, reliably use to provide safe, secure access to our entire digital persona—including all our devices and services. In fact, we need a secure, memory-independent means of adding even more data—like digital health records, commerce transactions and more—to our growing digital identities.
Given all the other amazing technical marvels we’ve seen get introduced to the market over the last several years, I’m actually shocked we haven’t seen better solutions. Part of the issue, of course, is cost. But given all the attention we’ve seen on security-related issues and, therefore, the interest in providing security across a very wide range of devices, I think the enormous potential market for some kind of hardware-based security solution will drive costs down rapidly.
Ultimately, I think some type of biometric-type approach—whether it be improved fingerprint readers, retina scanners, vein matching, or some other sensor-based technology that can positively and uniquely identify an individual—will be the winner. But the devil is in the details and accuracy levels need to improved and become more consistent before any of these technologies can go mainstream.
Beyond the hardware, we’re also going to need a lot more work on standards across devices, platforms, software and services in order to really get these kinds of solutions to take off. It’s all fine and good if a single vendor comes up with a reasonably effective technology, but unless it’s widely adopted across a wide range of companies, devices and services, it’s ultimately not that useful.
Solving this dilemma is clearly a challenging task, but given how broken our current password dependent-systems are, it’s one that needs to be tackled—and soon.
2 thoughts on “The Password Dilemma”
So with the recent Gmail and iCloud password fiascos, do you think at least the two big players will be motivated to create the next big thing WRT passwords? Or are we forever relegated to continually ducking and dodging with our passwords?
Biometrics would be fine for physical security but I am not certain for the identity
authentication in cyberspace. Biometrics, whether static or behavioral or electromagnetic, cannot be claimed to be an alternative to passwords UNTIL it stops relying on a password for self-rescue against the false rejection altogether while retaining the near-zero false acceptance in the real outdoor environment. A dog which depends on a man cannot be an alternative to the man.
I wonder how many people are aware that biometrics operated with a password in the
OR/disjunction way (as in the case of iPhone) offers a lower security than when
only the password is used. Media should let this fact be known to the public lest consumers should be misguided,