Some time back, I read this interesting post at xkcd, a usual for these guys.
It made me realise, for the zillionth time, passwords are mess. This medium of authenticating a valid, and a human, user has overstayed its welcome. The way it is being used is not secure. Well, can you blame the poor souls who are made to remember the crazy letters every time they want to get something done online? Moreover, they are forced, as a security policy, to change and then remember the new passwords every some time. Sigh! Indeed, passwords are mess.
You need more proof? Try searching for the phrase “passwords should die”. This farce has to be one of the most cursed phenomenon out there.
A lot has been said on this front too. There are articles and even open source frameworks, like Passwordless that want to target this by providing application developers ways to replace their login forms with password-less access. At high-level, key steps involved to achieve this are
These are pretty standard and well accepted steps. However the issue remains in the 3rd step, how should these tokens be delivered. Whichever mechanism one selects will become the single point of threat to the whole system going haywire, be it then email (what’s the password for email account then?) or SMS (phone is lost, what now?). The hacker news thread on one such suggested system is nice rundown for the probable issues.
Now that thread is more than a couple of years old. Today, the best option would be to deliver the token to the device which has biometric authentication enabled. As an example, I really like the way Apple has enabled the two-factor authentication on Apple Id. It displays possible devices where the token can be delivered and asks the user to select one. Once delivered to, say, an iPhone, only the user who owns the iPhone can access it by authenticating himself with TouchId. This same mechanism can be applied for delivering the secure tokens of web/mobile applications too. There, the delivery problem is solved.
However, given that majority of the users do not own an iPhone or a similar biometric authentication enabled device, this method cannot become the primary way of authenticating users.
So even though I believe that, in John Siracusa’ words, on an infinite timescale, all applications will have password-less logins, we are some years away from realising that dream.
Ok, so what till then? This is what I would like the applications developers to do to make this password mess a bit less itchy for me. Decide first, do you really need me to secure my profile via a password? User forums/discussion groups, I am looking at you. I will give leeway to banks/financial apps to make me remember and enter the password. For all others, please make this process simple.
I believe this will ease the burden from majority of the people of maintaining the passwords without making them any less secure. Passwords can’t die yet, but at least they would be a little less painful.