Taylor Davidson · Peak Password

Why the password needs to be replaced
by Taylor Davidson · 28 Oct 2014
Worrying About Passwords, Manhattan, NY, 2014

I remember when I only had one password to remember, to access my university email account. It’s the first password I used regularly to access an Internet-enabled service, and it was easy to remember and use, because twenty years ago, there simply weren’t that many web services to create accounts on.

But now, nearly everything we use has a login, a user account, a password. And as more and more of our lives, personal and professional, are routed through web services behind logins and passwords, we’ve come to a place where the notion of a password no longer works. The complexity of creating and managing secure passwords is too much of an overhead to our lives, and the point solutions to help us manage passwords and authenticate us are by large overly technical, poorly understood by users, and thus unevenly adopted.

I hope we’re at “peak password”.

We need better ways to authenticate our identity and gain access to services. Mandating more robust passwords won’t work: it’s impossible for services to expect people to remember a detailed, unique password for each service, and to take the precautions to change their passwords regularly. [1] People use the same login, email, and password for multiple accounts because it’s the only practical way for us to remember authentication details. Password managers like Lastpass are one solution to password proliferation, but it’s difficult for password managers to keep up with every new place to use a password. OAuth using other services like Twitter, Facebook, Google and others have long been popular, but services don’t necessarily want to give their valuable user data away by using authentication services with broader business goals. TouchID and biometric methods are starting to become realities, but even then, as single-factor authentication methods, aren’t completely secure. And for mobile access? The paradigm is simply too taxing for mobile services.

Two-step verification, easily understood as verification through two steps using something you know and something you have, is a form of multi-factor authentication and is gaining in popularity and adoption. More services are moving to implement it in various forms, including leveraging USB keys like the Yubikey, app push notifications, SMS one-time passwords, dedicated mobile devices like Google Authenticator, and others. The issue, so far, is in widespread adoption, as even the easiest two-step authentication methods are still poorly understood and not largely adopted by users.

* * *

But what’s really interesting to me are services that are getting rid of passwords. Cotap uses an authentication methodology that doesn’t use passwords, simply using email as a verification method. Knock simply uses your phone; Apple could potentially leverage NFC to create their own password-less authentication system. Twitter’s new Digits product is getting a lot of press as a growth and onboarding engine, especially for markets that use SMS more than email, but what Digits is also doing is killing passwords, using the same idea as Cotap but leveraging SMS instead of email. The time for the password-less login is now. [2]

Why is killing passwords important? How many login and password data breaches have you heard about this year? JP Morgan Chase, Home Depot, Target: tens of millions of data points leaked from secure databases, but these are just the tip of the iceberg. Even if the passwords are encrypted, encrypted passwords are getting easier to break, driven partly by better access to large data stores of stolen user IDs and passwords.

Any company that stores lots of information about people is a target for hackers, and whatever is worth getting hacked, will get hacked.

That’s why password-less login systems are powerful: if you don’t store passwords, then they can’t be hacked. But let’s extend the idea a bit farther, because web services store a lot more about us than just passwords.

* * *

The only way to keep user information safe is not to store it. (link)

I’m curious about services that store less data about us. The rise of ephemeral messaging apps (Snapchat et. al.) and anonymous apps (Secret, Whisper, etc.) point to a rising demand for services that don’t store everything about us, either stripping out the content or our identity. But perhaps the real unmet demand is for services that simply store less data about us. If there’s nothing stored, there’s nothing to be hacked.

Apple Pay is currently marketed as an easier way to pay, but perhaps the killer utility behind Apple Pay is security, not convenience. Tokenization, a key security aspect behind Apple Pay, creates a different method for financial information to be exchanged between our payment providers and the places we shop. In essence, tokenization replaces sensitive data with “token” values that are useless to external hackers. No credit card numbers are stored, nothing to steal.

Or perhaps the idea of storing less data will move towards broader uses. Earlier this year, I gave a talk about the Internet of Things at Startup Iceland, and in it, I posited the idea that as devices and sensors get smarter, they have the potential to reduce our reliance on the smart cloud and push more decisions and processing to the edge, away from centralized cloud services, and away from hackers. Most “smart things” today are dumb sensors connected to the clever cloud; meaning, that the devices push data to cloud services, which then draw interferences and matches that push decisions down to smart sensors. The future of smart things could be smarter devices that are able to use data locally without pushing and storing it in the cloud. [3] If we build more powerful devices at the edge, we won’t need to depend on the cloud to the same degree. And if less data is shared and stored in the cloud, there’s less data to be hacked. [4]

The cloud isn’t going away, but we have the opportunity to use it differently. And I hope that a move away from passwords is the first step.

  1. If you care about security, read Bruce Schneier. ↩︎

  2. EDIT: Yes, Cotap still relies on the password behind the enterprise’s email system, since all authentication is effectively done through the enterprise’s email. Twitter’s system is a bit different, because it relies on access to one’s phone number, which likely requires access to one’s device. ↩︎

  3. For example, location services like iBeacon. ↩︎

  4. To be clear, this isn’t a strike against the future of cloud computing or big data. It’s about smarter uses of the cloud and smarter uses of data. While the storage of data isn’t a scare resource, processing, transmission speed, and battery are scare indeed resources, so the incentive to develop smarter devices that leverage the cloud differently are already here. ↩︎