The password no longer suffices as a mean of protection for computer using humanity, so Wired's Mat Honan suggests we kill it. But what exactly will we replace it with? Honan has a personal stake in this movement, as he lost a lot of his life after a major hacking into his various accounts, which he wrote about for Wired over the summer. That traumatizing event prompted Honan to investigate the stability of passwords all over the Internet, which he just posted today. It's a pretty chilling look at how easy it is for a hacker compromise someone's entire Internet life, even people who use the often talked about best practices. His conclusion: "Kill the Password." He's the latest to make the call to action, and, after reading his harrowing personal tales, we're on board. But, what does a passwordless future look like?
Honan doesn't give an exact answer to that question. But he sets forth a certain vision of the future that involves more inconvenience and a way of building a verifiable identity of ourselves. Here's the basic idea, from Honan.
When you see a man on the street and think it might be your friend, you don’t ask for his ID. Instead, you look at a combination of signals. He has a new haircut, but does that look like his jacket? Does his voice sound the same? Is he in a place he’s likely to be? If many points don’t match, you wouldn’t believe his ID; even if the photo seemed right, you’d just assume it had been faked.
And that, in essence, will be the future of online identity verification.
In practice that means a combination of different things that say "yes, this is me." What are those things?
This is something Google already does, though not by default. Its two-step verification not only asks for the old-school password, but it also sends a code via voicemail or text message to your personal cell phone. (If you don't have this set-up, activate it now—something you should have done when The Atlantic's James Fallows told you to.) Similarly, some banks ask for a PIN and an additional two word phrase, notes Smartplanet's Laura Shin. But, two is just the beginning, argues Honan. The security of a system gets stronger the more pieces required for verification. The future of passwords means a combination of a bunch of different identifiers that extend far beyond the password. That's where the next methods come in.
- Facial Recognition. This already exists, though not as part of a mult-step verification process, as explained above. KeyLemon sells a face recognition software that users a picture of your face as a login for your computer. As it's a photo based system, it tries to make finding the person who tried to hack into your files a little easier. The system will take a photo of a person who tried and failed. Though, it's unclear if that is how hackers would attempt to bypass it. For websites, a pair of teenagers developed an API for their similar invention called Viv.ie. The biggest criticism of this kind of thing, and any other biometric solution, as these body-part identification tacts are called, is that once they are compromised they are irreplaceable Tal Be’ery, a senior Web researcher at Imperva told The New York Times's Somini Sengupta. In other words, you can't think up another combination for your face.
- Voice recognition. Some banks already do this, replacing the traditional PIN number with the sound of an account owner's voice.
- Touch gestures. A group of computer scientists are working on developing a technique where your tablet or phone will only recognize your special touch, reports Sengupta. (Yes, you have a special touch.) DARPA is also working on similar projects, like one that can tell how someone crafts an email or uses a mouse. Apple recently purchased security firm AuthenTech, which some have speculated might lead them to include some sort of fingerprinting technology on its future devices.
Improved Monitoring on the Other End
A lot of the blame for password hacking falls on the users who often pick stupid passwords (sometimes on purpose). But, we have entrusted our data to companies that should have an interest in protecting it for us. Here's how Honan sees it: "In many ways, our data providers will learn to think somewhat like credit card companies do today: monitoring patterns to flag anomalies, then shutting down activity if it seems like fraud," he writes. And we should hold them accountable to that standard. Facebook and Google already do this to an extent. Ever get a notice that someone logged into your Facebook from an odd location? If Google sees something fishy, it will ask a series of questions and, if not answered properly, will email a notification telling the person to change their password. All websites should do this.
Better Passwords—er Passcodes
Don't think the standard type in a series of letters and characters into a box thing will go away, either. It sounds like the future won't be the end of that, just make the code less of the star of personal security. That means people should continue to use password best practices, which include using a phrase instead of a single word and having multiple passwords for different accounts. We know, it's annoying.
So, the future of passwords is a world in which getting to your Gmail will require a finger scan, a photo, a password, another password generated through a phone, and singing a song into the computer? Or something like that. In any case, it will be complicated and inconvenient. But, it will also be safer. Get ready.