Passwords becoming passé—and it can’t happen soon enough

As standard method of protecting data proves insufficient, three factors converge to reboot security

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

It looks like 2017 is con­tin­u­ing right where 2016 left off—with news of a mas­sive data leak and thou­sands of pass­words being exposed on the inter­net and cached by search engines.

This refers to the gap­ing secu­ri­ty flaw recent­ly dis­cov­ered in the wide­ly used Cloud­flare ser­vice. It goes with­out say­ing that you should imme­di­ate­ly change all your pass­words, giv­en how deeply embed­ded into the inter­net Cloud­flare is. You also should seri­ous­ly con­sid­er using a mul­ti­fac­tor step-up capa­bil­i­ty to access your more sen­si­tive web­sites and services.

Relat­ed arti­cle: Cloud­flare bug spills pass­words in plaintext

Your iden­ti­ty has become a “cur­ren­cy,” and crim­i­nals are able to sell it like oth­er data. Unfor­tu­nate­ly, many orga­ni­za­tions are drag­ging their feet in adopt­ing more advanced and secure meth­ods for allow­ing cus­tomers to con­nect with their ser­vices. For the near term at least, pass­words are here and will be here for the next few years.

In terms of secu­ri­ty and avail­abil­i­ty, pass­words are the low­est com­mon denom­i­na­tor. They are cheap to deploy, users under­stand how to inter­act with them, and the risks asso­ci­at­ed with the user­name and pass­word paradigm—while not ful­ly understood—are accept­ed. But, there are three key fac­tors con­verg­ing that will replace these user­name and pass­words in the future.

Many more savvy about security

First, pol­i­cy- and deci­sion-mak­ers are becom­ing more sophis­ti­cat­ed in their under­stand­ing of the risks and secu­ri­ty pro­file that sim­ple reliance on pass­words presents. Recent announce­ments from Yahoo CEO Maris­sa May­er and Gen­er­al Coun­sel Ronald Bell should be a bell­wether in this regard. Fol­low­ing YAYB (Yet Anoth­er Yahoo Breach), Bell resigned with­out sev­er­ance pay and May­er lost her annu­al cash bonus and equi­ty award—which some reports esti­mate to be worth upward of $14 million.

Gov­ern­men­tal regulations—such as the revised pay­ment ser­vices direc­tive (PSD2) in Europe—are requir­ing more strin­gent authen­ti­ca­tion require­ments for finan­cial insti­tu­tions while the Nation­al Insti­tute of Stan­dards and Tech­nol­o­gy in the Unit­ed States no longer rec­om­mends one-time pass­words (OTPs) being deliv­ered via SMS in its Dig­i­tal Authen­ti­ca­tion Guide­line. Pass­word reliance and its asso­ci­at­ed pain is a glob­al problem.

Advances in bio­met­rics, oth­er alternatives

Sec­ond, viable alter­na­tives to the pass­word are gain­ing wide­spread accep­tance. Since the release of the fin­ger­print scan­ner on the Apple iPhone 5S, bio­met­rics have explod­ed as an alter­na­tive to PINs and passwords.

Relat­ed arti­cle: Chi­na embraces FIDO Alliance standards

The FIDO Alliance has grown as an indus­try­wide orga­ni­za­tion pop­u­lar­iz­ing a set of spec­i­fi­ca­tions that increase pri­va­cy, increase secu­ri­ty, and increase usabil­i­ty while at the same time allow­ing the mul­ti­tude of play­ers from the authen­ti­ca­tion mar­ket­place to ensure inter­op­er­abil­i­ty. Adop­tion of such alter­na­tives is mov­ing along at a sol­id clip with mul­ti­ple mil­lions of users world­wide already using this technology.

Con­sumers demand more

Final­ly, users are fed up. They have learned of breach after breach after breach. The added fea­tures that com­pli­cate a pass­word are not actu­al­ly mak­ing it more secure, but they do make pass­words sig­nif­i­cant­ly more dif­fi­cult to input on the small touch­screens that are becom­ing our pri­ma­ry com­put­ing devices.

As these three forces con­tin­ue to con­verge, pass­words will be replaced in greater and greater numbers.

As a soci­ety, we need to over­come pass­word pain and look to the future. Using a fin­ger­print or oth­er bio­met­ric authen­ti­ca­tion mea­sure helps users look beyond the failed user­name and pass­word infra­struc­ture. In time, the pub­lic will under­stand how flawed tra­di­tion­al pass­word usage is. It’s both incon­ve­nient and insecure.

In 2017, we will see more com­pa­nies erring on the side of secu­ri­ty, remov­ing pass­words and imple­ment­ing mod­ern authen­ti­ca­tion strate­gies that elim­i­nate the oppor­tu­ni­ty for large-scale pass­word leaks and theft.

More about the prob­lems with passwords:
Hack­ing risk doesn’t stop most Amer­i­cans from being care­less with their passwords
The cost of com­pro­mised cre­den­tials creeps up
Admit­ting there are secu­ri­ty prob­lems with encryp­tion is step toward a solution