Security blogs

Passwords: it is time we found a better solution

I mistyped my password, again, so now the website wants to know the name of my first pet. I type the cat’s name. No go. Should I capitalise the first letter of the cat’s name? Wait, maybe it was the name of one of the tropical fish I had as a kid! Do they even count as pets, and was I thinking of them when I answered the security question? Anyway, which of them — there were so many…

Before I know it, my account is locked. Now I’ll never straighten out my bill. I’m in authentication hell.

I’ve got lots of people accompanying me there, including, most likely, you. We face this doom thanks to choices we’ve collectively made over the past two decades. First we transferred every aspect of our lives online, and onto our many devices. Then we locked them all up using passwords,  a security technique formerly reserved for third graders’ clubhouses and magic gates.

I always assumed we would have outgrown passwords by now. But despite the rise of new techniques like “multi-factor authentication” (usually codes sent to phones) and fingerprint ID( superglue apparently covers my fingerprint), passwords refuse to vanish. In fact, as cloud services have become the default method of software delivery — with remote servers running programs over the network, meeting our every need on phone or screen — most of us have more passwords than ever. Before you do whatever you want to do, anywhere and everywhere, you still have to log in.

I also always assumed that, if we were going to be liberated from passwords, it would be thanks to some marvellous technical breakthrough or a consensus around some open public standard. Surely the prophet to lead us out of password bondage would be the sort of bearded genius who built the internet in the first place, or some wild-eyed outsider coding us to freedom with cryptographic wizardry.

Now, as I’m sitting in a conference room on a sunny morning in September, feeling my phone vibrate with your-payment-is-late notification, I’m wondering: Is there any decent replacement for passwords out there that is easy to install, easy to use, easy to manage, secure and doesn’t cost the earth?

What would also be nice, is the ability to validate that the person authenticating to the secure login is ACTUALLY the person who they say they are.

You may also like
Can you Hack IT?
Why Security Awareness Does Not Work and What to Do Instead 
Security Awareness Training is ineffective!
Get the budget you need, not the one you deserve.