On Passwords and Fearlessness and the Future

Monday, July 14, 2014 - 11:19 AM

Today, Wall Street Journal technology columnist Christopher Mims boldly declared that the password is irrelevant and dying. How boldly, you probably weren't asking yourself? Well, so boldly that he posted his twitter password in the article.

His argument is that authentication technology is becoming so smart, the value of the password is becoming greatly diminished. Thanks to 2-step authentication, even with his twitter password, you can't get into his account. He points to a bunch of ways that tech companies are rendering the password valueless:

Google is working on an as-yet unnamed protocol that allows you to connect to your online accounts on any device by authenticating yourself with your smartphone. This could be a code sent to you, or even a "smart ring." In June, Google showed off one version of this scheme, in which a user's laptop can be unlocked by the mere presence of his or her smartphone. It might seem foolish to replace an authentication token that you keep in your head (a password) with one you keep in your pocket (like a phone) but consider: The former can be obtained by hackers, and the latter you can shut down the moment it goes missing.

If you have either an iPhone or a newer Samsung phone running Android, it's simple to lock your phone remotely, even wipe it. So even if a thief gets his hands on the skeleton key to your accounts, you can disable it easily. Plus, your phone is itself locked (or should be) with a PIN code or even a fingerprint sensor.

But it seems that it's not so much about getting rid of the password itself, but more like using a password in conjunction with some other component - a pin number, a device, a fingerprint sensor. Something like that.

I like the idea, and I appreciate the boldness of it. It actually reminds me a bit of our story from a few months back about Y. Woodman Brown, who decided to post all of his passwords in the comments of a Washington Post article about Heartbleed

They may look similar, but while Christopher Mims was doing it to prove a point about how hard it has actually become to compromise an account, Woody Brown was inviting people in to his accounts. Brown wanted to live his online life in a radically open way to show that it wouldn't really have any effect on him. And it appears that it didn't. 

Tags:

More in:

Comments [2]

Ken Garcia from Santa Monica, CA

The identity and authentication puzzle is a very big landscape and even if passwordless authentication were to catch-on among developers and become very in vogue tomorrow, a lot of pay phones remain active throughout our internet city.

One of our engineers wrote a really excellent post on this topic: "Passwords are not Obsolete, yet" http://blog.bitium.com/passwords-are-not-obsolete-yet

He makes a great point when he talks about "alternate authentication isn't a Fail-Safe":

If authentication via a code sent to your phone becomes popular, we have a new challenge. People use their personal cell phone numbers for these things. No one has a work SMS # and a separate personal SMS #, or at least very few people do. We are creating a new nightmare for IT managers. Rogue app access from ex-employees with personal cell numbers can still access apps. You can disable someone's work email address, but you cannot disable SMS messages sent to their personal phone.

Jul. 16 2014 07:43 PM
Daniel Bennett from Washington, DC

There is often confusion between identity and authentication and how authentication might work. Because many systems tie the identifier or user account so closely with the authentication methods, the authentication methods are both more vulnerable and it makes better solutions harder to explain.

There is another method that is possible and even used to some extent on the Internet which makes the authentication methods less relevant and therefor more secure. For example, if you could just show you controlled a URL/URI and that the method of controlling the URL/URI was independent, then it would allow for a much easier, flexible and arguably more secure system.

In a sense we already have this in the form of the email address used for various user accounts. Most systems allow you to reset the password (aka not need a password), by receiving an email. You could do this everytime and never actually ever use a password (this reset is essentially a time limited and one use token). All you are doing is proving you control the email account.

OpenID and IndieWeb.com/Auth (and SAML) use similar infrastructures where the control of the URL or account is shown, independent of how the URL or account is protected and controlled. One person might use biometrics and control of a mobile SMS account to gain control of their URL or account. Another may just use a password. To the hacker, it may be difficult to learn what method is used and therefore much more difficult to gain access to systems that are now much easier to attack multiple accounts.

And there are more ways to have identity, authentication and attributes (think birthday) architected that provide a more robust system with greater control for the citizen and get away from the current one size fits all authentication.

Jul. 15 2014 01:24 PM

Leave a Comment

Email addresses are required but never displayed.

Supported by

 

Embed the TLDR podcast player

TLDR is a short podcast and blog about the internet by PJ Vogt and Alex Goldman. You can subscribe to our podcast here. You can follow our blog here. We’re also on Twitter, and we play Team Fortress 2 more or less constantly, so find us there if you like to communicate via computer games from six years ago.

Subscribe to Podcast iTunes RSS

Feeds