We cannot let passwords die (yet)
I’m getting fed up with marketing that says “Passwords must die” only to present yet another solution that won’t replace them.
The challenge to solve is ubiquity – this is why passwords have stood the test of time, even with their obvious and proven shortcomings.
Don’t get me wrong there are lots of great technologies vying to replace them: two step verification, two factor authentication (2FA), pass code generators, grids, biometrics, phone apps, reputation validation etc. (sorry if I missed your favourite).
But they are largely point technologies, that need to plug into a solution.
I use a password manager, which has over 100 systems I sometimes use registered in it. Each with a unique, and most with randomly generated passwords.
To replace these passwords with any of these “great technologies” requires ubiquity; otherwise I end up with 5 systems using one approach, 10 using another, 2 yet another and the rest stuck on passwords. (I am sort of already in that mess, with the accounts I really care about using some form of 2FA – some SMS, some Google Authenticator, and some bespoke apps).
My belief is that until we get authentication-as-a-service, where I can log on once (without a password), and this then brokers authentication to all 100+ systems we’ll be stuck with passwords on the systems I care about least: having different / disjointed “better” solutions will just make life harder. The security / ease of use balance will fail.
There are developments in this area – I can log on to some sites with my Google / Facebook / Twitter credentials, but at the trade of conceding privacy and even these are not universal, nor is the trust. There have been projects such as OpenID, but progress towards widespread adoption seems slow. Whatever happened to CardSpace!?!
So please, when promoting your latest and greatest password killer – tell me how you will deploy it in the mass market? I don’t care about homogenous point solutions; they will not kill the password.
Author Bio - Colin Robbins
Colin Robbins is a Principal Security Consultant at Nexor. He is a Fellow of the IISP, and a NCSC certified Security and Information Risk Adviser (Lead CCP). He has specific technical experience in Secure Information Exchange & Identity Systems and is credited as the co-inventor of LDAP. He also has a strong interest in security governance, being a qualified ISO 27001 auditor.
Be the first to know about developments in secure information exchange