Passwords Are A Horrible Way To Keep Us Safe — Here Are The Potential Alternatives
Lisa Eadicicco
smartphone man
REUTERS/Kim Hong-Ji
Two years, ago Wired reporter Matt Honan had his entire digital life erased. His AppleID and accounts with Google, Twitter, and Amazon had all been compromised in the span of one hour. The hacker tweeted offensive remarks from his Twitter account and wiped his iPhone, iPad, and MacBook completely clean.
About two months ago, a U.K.-based Reddit user woke up to find that a hacker had stolen a decent sum of money from him by running up the bill on his PlayStation account. The culprit took so much money, in fact, that the author was unable to pay his rent that month.
Both incidents provide examples of what can happen when usernames and passwords fall into the wrong hands.
Last month, researchers discovered one of the biggest vulnerabilities the internet had ever seen— the Hearbleed bug. Heartbleed occurred as a result of a critical flaw in OpenSSL, a popular encryption standard, which could allow hackers to trick servers into spitting out crucial personal information.
Since then, experts have been warning the public to change the passwords to their most important accounts. These events, however, raise the question as to whether or not there's a future for the traditional username and password.
The problem with the password
"I think the password is going the way of the dinosaur," said Jonathan Klein, president of Usher, a company that focuses on mobile identity solutions for enterprise platforms. "I think there's no question that it's a flawed and broken system."
"I think there's no question that it's a flawed and broken system."
There are two basic problems with the password, according to Klein, the more obvious of which being that they're not very user friendly.
"One of two things happen," Klein said. "They either forget [their passwords] and they get locked out of their systems...or much more dangerously they do the old famous yellow sticky note. And you’d be surprised if you walk around a corporation or organization that’s supposed to have high security, the number of people that have just written down their username and password on a little sticky note."
The other issue has to do with the nature of the username and password system. Sending critical information, such as your password, to another server makes it susceptible to hackers. In most cases, this type of data is encrypted when it travels between servers to prevent interceptors from reading it. However, if someone learns how to take advantage of a serious vulnerability such as Heartbleed, they could potentially decrypt that information.
"The mere transmission of that sensitive password information across open channels means that it can be stolen or phished," Klein said. "We think the solution is just the complete elimination of usernames and passwords."
Could a fingerprint scanner replace the password? 'Absolutely not.'
Alternatives to the password have existed long before Heartbleed, but none of them have really been implemented on a widespread scale. Both Apple and Samsung have added biometric fingerprint scanners to their newest flagship smartphones, although the technology is most commonly used as more convenient means of unlocking your smartphone.
FingerprintSensors
William Wei/Business Insider
The technology may not be secure enough to ever replace the traditional password, Nicholas Percoco, vice president of strategic services at IT security firm Rapid7, says. When asked whether or not fingerprint scanning technology could make passwords obsolete, he replied "absolutely not."
"The main reason is, it's not necessarily a secret whereas a password could be," Percoco said. "If you think about your fingerprint, every single thing you’ve touched since you woke up this morning has your password on it. So that’s a problem."
It's relatively easy to fool these systems, according to Percoco. If a thief steals your fingerprint-protected iPhone 5s, he or she could lift the fingerprints off your phone's screen. In September, German hackers figured out how to get around the iPhone 5s' biometric sensor just two days after the phone was released. Researchers in Germany were also able to fool the Galaxy S5's fingerprint scanner into accepting a mold of an enrolled finger rather than the real thing.
"The other thing is, you can't change your fingerprints," Percoco said. "So you really only have 10 shots."
Multi-factor authentication is the best way to make sure hackers don't get ahold of your personal information. This is the process where you type in your password and a secondary password gets sent to your phone via text message. Many accounts and services, including Google, offer two-factor authentication today. In theory, a hacker would need both your password and your smartphone to access your accounts. That's unlikely to happen.
However, both Klein and Liam O Murchu, a senior manager at security firm Symantec, imagine a future that involves combining various types of verification techniques.
For example, Klein praised the system used at Usher's parent company MicroStrategy, which involves using your smartphone to scan a QR code on your computer screen to login rather than typing in a username and password.
An encrypted mobile ID would be stored on your phone, which tells the computer that you're authorized to log in. This type of technology could be even more secure if you're using a phone with biometric authentication such as the iPhone 5s or Galaxy S5.
"There's nothing to intercept, there's nothing to steal, there's nothing to remember, and it's perfectly secure," he said. "We think that this is the future—the combination of biometrics and encryption on a smartphone."
Using more than one type of authentication could also address the concerns Percoco acknowledged earlier. For example, if a phone or bank account required both voice verification and a fingerprint swipe, an intruder would have a much more difficult time obtaining your information even if he or she imitated your fingerprints.
Why aren't we using it today?
Technology that can prevent our digital identities from being stolen already exist, but they're not part of our everyday lives just yet. That's largely because the technology simply isn't reliable enough yet to be rolled out on such a large scale, O Murchu said.
"I still think it's a very young market," he said in reference to biometric security and facial recognition. "It still needs to be tested. The two models [iPhone 5s and Galaxy S5] that came out with the fingerprint scanner were a real gamble as to whether or not they would be secure enough."
In about five years, O Murchu believes we'll see some strong competitors to the traditional password, although standard username logins will continue to exist. Technology similar to the facial recognition used in Microsoft's Xbox One could easily translate to an everyday smartphone over the next few years.
"Maybe three or five years out we'll see something where you just look at the phone and it recognizes your face and it logs you in," O Murchu said.
facebook facial recognition
Facebook
Facebook is working on better facial recognition technology.
According to Klein, there are two key reasons why biometrics and QR-scanning systems haven't hit the mainstream yet.
Like O'Murchu, he said that these types technology still need to be perfected. But he also emphasized that smartphone adoption is now high enough around the world to make this type of login technique a reality.
Klein says there are 2 billion smartphones in circulation worldwide, and that number is expected to double within the next three years.
"We think this shift is going to happen quickly," Klein said. "2014 is the first time really in history when it really could happen. Realistically usernames and passwords will be here for a while. We just think that there’s going to be an important shift taking place to find a new and better solution."
