March 27, 2017
Are Passwords Finally Becoming Passé?
Passwords are cheap to deploy and users understand them, but three key factors are converging that will replace them before too long.
It looks like 2017 is continuing right where 2016 left off—with news of a massive data leak and thousands of passwords being exposed on the internet and cached by search engines.
This refers to the gaping security flaw recently discovered in the widely used Cloudflare service. It goes without saying that you should immediately change all your passwords, given how deeply embedded into the internet Cloudflare is. You also should seriously consider using a multifactor step-up capability to access your more sensitive websites and services.
Related article: Cloudflare bug spills passwords in plaintext
Your identity has become a “currency,” and criminals are able to sell it like other data. Unfortunately, many organizations are dragging their feet in adopting more advanced and secure methods for allowing customers to connect with their services. For the near term at least, passwords are here and will be here for the next few years.
See also: The 7 Keys to Strong Passwords
In terms of security and availability, passwords are the lowest common denominator. They are cheap to deploy, users understand how to interact with them, and the risks associated with the username and password paradigm—while not fully understood—are accepted. But, there are three key factors converging that will replace these username and passwords in the future.
Many more savvy about security
First, policy- and decision-makers are becoming more sophisticated in their understanding of the risks and security profile that simple reliance on passwords presents. Recent announcements from Yahoo CEO Marissa Mayer and General Counsel Ronald Bell should be a bellwether in this regard. Following YAYB (Yet Another Yahoo Breach), Bell resigned without severance pay, and Mayer lost her annual cash bonus and equity award—which some reports estimate to be worth upward of $14 million.
Governmental regulations—such as the revised payment services directive (PSD2) in Europe—are requiring more stringent authentication requirements for financial institutions while the National Institute of Standards and Technology in the U.S. no longer recommends one-time passwords (OTPs) being delivered via SMS in its Digital Authentication Guideline. Password reliance and its associated pain is a global problem.
Advances in biometrics, other alternatives
Second, viable alternatives to the password are gaining widespread acceptance. Since the release of the fingerprint scanner on the Apple iPhone 5S, biometrics have exploded as an alternative to PINs and passwords.
Related article: China embraces FIDO Alliance standards
The FIDO Alliance has grown as an industrywide organization popularizing a set of specifications that increase privacy, increase security and increase usability while at the same time allowing the multitude of players from the authentication marketplace to ensure interoperability. Adoption of such alternatives is moving along at a solid clip with millions of users worldwide already using this technology.
Consumers demand more
Finally, users are fed up. They have learned of breach after breach after breach. The added features that complicate a password are not actually making it more secure, but they do make passwords significantly more difficult to input on the small touchscreens that are becoming our primary computing devices.
As these three forces continue to converge, passwords will be replaced in greater and greater numbers.
As a society, we need to overcome password pain and look to the future. Using a fingerprint or other biometric authentication measure helps users look beyond the failed username and password infrastructure. In time, the public will understand how flawed traditional password usage is. It’s both inconvenient and insecure.
See also: How to Make Smart Devices More Secure
In 2017, we will see more companies erring on the side of security, removing passwords and implementing modern authentication strategies that eliminate the opportunity for large-scale password leaks and theft.
This post originally appeared on ThirdCertainty. It was written by Phil Dunkelberger.