Some people can not stop talking about the death of the password. Passwords are old, insecure and can easily be lost. Soon we will all use biometrics, hardware security keys and other futuristic solutions – right? Not so fast.
We talked to Jeffery Goldberg, 1Password's chief of security, who said he was "cautiously optimistic that this time we saw a password problem being compromised."
That's the optimistic attitude – and it's far from the death of passwords.
Why People Want to Kill the Password
When Microsoft talked about the corporate goal of "Creating a World Without Passwords" in May 2018, the Microsoft security team wrote:
"Nobody likes passwords, they are uncomfortable, insecure and expensive In fact, we do not like them so much that we've got down to work to create a world without them – a world without passwords. "
Passwords have become more annoying over time, and we've all got smarter Reuse risks: If you use the same password on multiple websites and there is a password leak, you can use your password to access your account on another website, so you must select a secure, unique password for each service you use Reusing a short, simple password on a handful of websites is over.
For most people, no overreach Remember, it's impossible to remember a secure, unique password for every online account. For this reason, we recommend password managers who remember all of these secure, unique passwords for you. All you have to do is remember your main password, which is much simpler than saving 100 and much safer than reusing it.
However, even with a password manager, this is not completely secure. Someone with a keylogger on your system could capture your password and log in as you. That's why services provide additional security. We often enter a password and then need to authenticate ourselves a second time with a code or a key.
Is there a better way?
What could replace the password?
Goldberg said he had proposed "Scheme by Scheme" over the last twenty years to kill passwords – many of which had learned nothing of what had failed in the past. However, newer devices may have better chances of success because they are more powerful local devices.
Biometrics can replace a password. You may use the Touch or Face ID (biometrics) to log in to your iPhone instead of entering a PIN. Android phones also have fingerprint and face registration capabilities.
You can now also create "passwordless" Microsoft accounts to log in to Windows. Your username is your phone number, and the password you enter is a code sent to your phone number via SMS.
You can also use a physical security key instead of a password to authenticate your online accounts. You keep the key with you (you can even keep it on your keychain) and use it at the time of logging in via USB, NFC or Bluetooth.
Phones can also replace passwords. Google now lets Android devices act as FIDO2 buttons. You may also need to authenticate yourself with a fingerprint on your phone when you log in to a website on your laptop.
Many organizations are trying to reduce password dependency by offering single sign-on providers. In this case, sign in to Facebook, Google, etc. and use this account to sign in to other services. No additional passwords are required.
Replacement password does not replace passwords.
There is a big problem here. Technologies that are touted as "substitute password" are not yet substitute passwords.
Biometric data such as the face or touch ID still requires both a passcode and an Apple ID password on your device. Some tasks also require a PIN for background encryption. Biometric features on Android and Windows Hello on Windows 10 work in the same way – basically as a handy feature. It's easier to log in to your device because you do not have to enter a password every time, but it does not replace your password .
A passwordless account that sends you phone codes is not & # 39; Not great either. Instead of a password for your account, this service generates a new password every time you try to log in and sends it to you via SMS. This is less secure than the traditional method of sending a single password and a security code when you log in.
Unfortunately, in many situations attackers easily steal phone numbers, making this method less secure. It's a great way to reach people in countries where phone numbers are ubiquitous, and it reduces the friction associated with account opening, which is why Amazon offers it. However, replacing passwords is not a good solution.
Most services that used physical security keys use them as an additional authentication option. You still log in with your password and provide the security key as a secondary sign-on confirmation. The ability to use a key without a password is still a long way off.
One-time logon services also have a privacy problem. If you click "Sign in with Google" or "Sign in with Facebook," the service provider (Google or Facebook) knows what you're signing up for.
Passwords are always displayed (in the background).
Even if Google's dream of replacing passwords with cell phones becomes a reality, the password is not eliminated. The Verge summarized Google's plans as follows: "If you're already signed in to your phone, you can start the next device you want to sign in to your Google Account with this bootstrap."
You may avoid using your password for a long time, but it is still in the background. After all, you'll need it if you lose all your devices.
Passwords are still widely used. They are easy to set up and use. Replacing passwords offers more comfort or extra security. However, you always need a way to restore access if you lose your device and can not use your biometric or hardware security.
"I think there will always be edge cases that require passwords," said 1Password chief officer Matt Davey. For example, signing in with Apple in iOS 13 provides a Web-based sign-in option that uses your Apple ID password when you sign in to a non-Apple device. A password works everywhere and is the universal default setting if failed biometric or hardware security features are not available.
As Goldberg said, implementing passwords for websites is easy. "They are still the easiest to use for service operators."
For this reason, 1Password is optimistic about the future of password managers. The company said it had seen more new users as its competition increased, and companies like Apple, Google and Mozilla are taking password management seriously.
What will the future bring?
The dream of killing the password is a long way off. Even if the process is going well, the best scenario is that we are progressing slowly and offering simpler alternatives to passwords.
One day, passwords may be pushed into the background, making them a forgotten account recovery method. But it will probably be a long time before they get there. The struggle to banish them from daily use for the majority of people will be long and hard. But kill passwords completely? This is even more difficult to imagine.