Will passwords soon become a thing of the past? Have they already become obsolete? This is perhaps one of the most prominent topics under discussion in the technical media these days.
A couple of weeks ago, Forbes.com published a story about the probable public launch of U2F (Universal Second Factor) – a new form of authentication by Google in alliance with Yubico. Through U2F, Google wants “to help move the web towards easier and stronger authentication, where web users can own a single easy-to-use secure authentication device built on open standards, which works across the entire web.” Media reports following the story have fuelled wild speculations that traditional passwords will soon die.
U2F is creating quite a stir, just like buzz created by the session on “Passwords are dead” in the RSA conference in San Francisco earlier this year. Meanwhile, the Petition Against Passwords movement gained widespread, global media attention last summer. Launched by a group of companies selling password-less technology, the online petition is being used to “collect every frustrated yell at forgotten passwords and make sure the organizations responsible hear them.”
Of course, people have been speculating on the death of passwords for almost a decade. Microsoft Chairman Bill Gates predicted the death of passwords in 2004 and then again in 2006, when he said that the end to passwords was at sight. Gates isn’t alone. Many other luminaries and industry analysts have long been predicting the disappearance of passwords. Still, passwords continue to be the most prominent method of authentication.
The grievance against passwords
With the proliferation of online applications, a variety of passwords occupies each aspect of our life. Remembering dozens of passwords is impossible. Storing them only invites trouble. And managing them manually is a pain.
With high-profile security breaches involving stolen online identities, all of us want to be rid of passwords. These security breaches also invite discussions on password replacement and raise the million-dollar question: do we have viable alternatives if passwords finally die?
Alternatives abound, but none viable
Alternatives to passwords, such as biometric authentication, iris authentication, facial authentication, various forms of multi-factor authentications, and even authentication through items like watches, jewelry, and electronic tattoos, are all being discussed.
A couple of months ago, Apple launched the Touch ID fingerprint sensor, which was built into the iPhone 5S. Touch ID allows users to access their phones with a press of the finger, “without the need to remember complex sequences of letters or numbers”. The launch of Touch ID also made the media promptly talk about the disappearance of passwords.
Interestingly, some of these alternative authentication methods have been cracked even before they could be adopted widely. A few years ago, a group of researchers hacked faces in biometric facial authentication systems by using phony photos of legitimate users.
Active research is also on to formulate better alternatives.
However, none of the alternative approaches have been viable so far for various reasons. Passwords are very easy to create and are absolutely free. The alternatives, on the other hand, are typically expensive, difficult to integrate with existing environments, difficult to use, and require additional hardware components.
Passwords are here to stay; protect them
For now, a viable replacement for traditional passwords is not in sight. When the next-generation of password-replacing security technologies does emerge, it’s going to take a while for them to be widely accepted and adopted. All of which mean that passwords are going to be here around for a while.
Passwords are commonly perceived to be not secure and a burden. While worrying over the pain points, we overlook the actual problem. The actual problem is poor password management, not the passwords themselves.
Unable to remember strong passwords, users tend to use and reuse simple passwords everywhere. They store passwords in text files and post-it notes, share credentials among team members, and reveal secure login details in emails and by word of mouth. Real access controls do not exist and passwords to sensitive resources and applications remain unchanged for ages. Such bad password management practices invite security issues and other problems.
Use a password manager
While the research is on to find an alternative to passwords, it would be prudent to deploy a password manager to safeguard your data. With a password manager, you can secure all your passwords in a centralized repository; use strong, unique passwords without worrying about remembering them; automate and enforce password management best practices; control access to resources and applications; keep track of activities; and do much more.
If you are wondering which password manager to use, take a look at ManageEngine Password Manager Pro.