Is the Password on its Way Out?
After high-profile hacks and thefts, online services and device manufacturers are warming to technologies, such as fingerprint sensors or voice recognition software, that can improve security by accompanying or replacing passwords. To streamline the effort, authentication technology providers are working toward a common standard for implementing these password alternatives. Here are some of the ways these technologies will reach everyday Internet users.
A group of six companies came together in July 2012 with the goal of creating a standard for such password alternatives as fingerprints. They formed the Fast Identity Online Alliance (FIDO), a consortium that now has more than 100 members, including Alibaba, Google, Microsoft, Visa, and MasterCard. It is developing two approaches to authenticating users. Both involve storing identifying information on a physical device rather than on servers, which hackers can attack to download thousands of records en masse. The idea is to make large-scale password breaches impossible. Authentication technology provider Nok Nok Labs explains the basic concept in this video.
One framework, known as the Universal Authentication Framework (UAF), allows for user experiences that do not require traditional alphanumeric passwords at all. If an online service requests authentication to perform a function such as a money transfer, a person would need to provide biometric information like a fingerprint on his or her device before the transaction could go through. UAF can be strengthened further by combining a biometric with another factor, like a PIN number.
The other one, Universal Second Factor (U2F), does not eliminate passwords, but instead bolsters them by requiring people logging in to a service to prove their identity with a unique physical device that only they can access. They would log in with their typical username and password, but then the website would ask them to present this second form of authentication, such as by pressing a USB device or by tapping it against the near field communication (NFC) tag on their smartphone.
More information on how these frameworks generally work is available here.
Google Security Key
Google has introduced a new physical device based on one of the FIDO frameworks to add a layer of security when its users are logging into their Google accounts through its Chrome browser. To use it, people would buy the physical key and insert it into their computer’s USB port. When logging into Google’s services with their normal password, the site would prompt them to tap the key. Already, Google has a version of this “two-factor authentication”: it asks people to enter a six-digit PIN code that Google sends them via text message. But this physical key is safer than these one-time passcodes because it uses cryptography that can work only with legitimate websites, Google says.
Nok Nok Labs, a founding member of the FIDO Alliance, developed the technology for the fingerprint sensor on the Samsung Galaxy S5—the first smartphone to meet the group’s standards. The sensor can be used to unlock the device or to access other services, like PayPal’s mobile app and Alipay, Alibaba’s payment tool for Chinese users.
Agnitio first started developing voice authentication technology a decade ago to help Spanish police look for criminals based on their voices. Now the company expects to supply its software to devices coming out next year. When the software is downloaded on wearable or mobile devices, a person would speak into the microphone and the device would see whether it matches his or her “voiceprint,” a digital file that contains the characteristics of a person’s voice. Call centers use Agnitio’s technology to protect fraud by identifying people based on their voices, and the software verifies the voices of seven million people in South Africa who call a number to prove they are alive in order to receive their pension checks.
Apple is not a FIDO Alliance member, but it has already deployed fingerprint sensors on the iPhone 5s and 6 that can be used in many instances instead of a four-digit passcode. In October, the company announced that iPhone 6 users can make payments just by touching the fingerprint sensor and placing the device’s near-field communication antenna near a reader at a store checkout counter. This service, Apple Pay, is designed to be secure because credit card numbers are never sent to or from a store. Instead, the merchant receives an encrypted confirmation from a payment processor such as Visa.
Dashlane lets you forget all your passwords—though it doesn’t eliminate them from the Web experience. Instead, this startup creates a super-safe password (one that is unique and hard to guess) for each online service a person uses—and Dashlane automatically enters them rather than the user. The user does this by logging into to Dashlane’s desktop client or mobile app, where it stores the user’s passwords with a military-grade encryption algorithm. These passwords can be decrypted only with a master key that is chosen by the user and never stored on Dashlane’s servers.
FIDO Alliance’s technologies could eliminate the use of passwords altogether, but a gradual decrease in the reliance on passwords appears to be the more likely scenario in the next few years. In addition to the FIDO members and Apple, many other startups are bringing their own flavors of authentication software to the market.
Do you have a big question? Send suggestions to firstname.lastname@example.org.
Become an MIT Technology Review Insider for in-depth analysis and unparalleled perspective.Subscribe today