Hello,

We noticed you're browsing in private or incognito mode.

To continue reading this article, please exit incognito mode or log in.

Not an Insider? Subscribe now for unlimited access to online articles.

Is the Password on its Way Out?

After high-profile hacks and thefts, online services and device manufacturers are warming to technologies, such as fingerprint sensors or voice recognition software, that can improve security by accompanying or replacing passwords. To streamline the effort, authentication technology providers are working toward a common standard for implementing these password alternatives. Here are some of the ways these technologies will reach everyday Internet users.

FIDO Frameworks

A group of six companies came together in July 2012 with the goal of creating a standard for such password alternatives as fingerprints. They formed the Fast Identity Online Alliance (FIDO), a consortium that now has more than 100 members, including Alibaba, Google, Microsoft, Visa, and MasterCard. It is developing two approaches to authenticating users. Both involve storing identifying information on a physical device rather than on servers, which hackers can attack to download thousands of records en masse. The idea is to make large-scale password breaches impossible. Authentication technology provider Nok Nok Labs explains the basic concept in this video.

One framework, known as the Universal Authentication Framework (UAF), allows for user experiences that do not require traditional alphanumeric passwords at all. If an online service requests authentication to perform a function such as a money transfer, a person would need to provide biometric information like a fingerprint on his or her device before the transaction could go through. UAF can be strengthened further by combining a biometric with another factor, like a PIN number.

The other one, Universal Second Factor (U2F), does not eliminate passwords, but instead bolsters them by requiring people logging in to a service to prove their identity with a unique physical device that only they can access. They would log in with their typical username and password, but then the website would ask them to present this second form of authentication, such as by pressing a USB device or by tapping it against the near field communication (NFC) tag on their smartphone.

More information on how these frameworks generally work is available here.

Google Security Key

Google has introduced a new physical device based on one of the FIDO frameworks to add a layer of security when its users are logging into their Google accounts through its Chrome browser. To use it, people would buy the physical key and insert it into their computer’s USB port. When logging into Google’s services with their normal password, the site would prompt them to tap the key. Already, Google has a version of this “two-factor authentication”: it asks people to enter a six-digit PIN code that Google sends them via text message. But this physical key is safer than these one-time passcodes because it uses cryptography that can work only with legitimate websites, Google says.

Fingerprint Sensor

Nok Nok Labs, a founding member of the FIDO Alliance, developed the technology for the fingerprint sensor on the Samsung Galaxy S5—the first smartphone to meet the group’s standards. The sensor can be used to unlock the device or to access other services, like PayPal’s mobile app and Alipay, Alibaba’s payment tool for Chinese users.

Voice Authentication

Agnitio first started developing voice authentication technology a decade ago to help Spanish police look for criminals based on their voices. Now the company expects to supply its software to devices coming out next year. When the software is downloaded on wearable or mobile devices, a person would speak into the microphone and the device would see whether it matches his or her “voiceprint,” a digital file that contains the characteristics of a person’s voice. Call centers use Agnitio’s technology to protect fraud by identifying people based on their voices, and the software verifies the voices of seven million people in South Africa who call a number to prove they are alive in order to receive their pension checks.

Apple Fingerprints

Apple is not a FIDO Alliance member, but it has already deployed fingerprint sensors on the iPhone 5s and 6 that can be used in many instances instead of a four-digit passcode. In October, the company announced that iPhone 6 users can make payments just by touching the fingerprint sensor and placing the device’s near-field communication antenna near a reader at a store checkout counter. This service, Apple Pay, is designed to be secure because credit card numbers are never sent to or from a store. Instead, the merchant receives an encrypted confirmation from a payment processor such as Visa.

Password Stand-in

Dashlane lets you forget all your passwords—though it doesn’t eliminate them from the Web experience. Instead, this startup creates a super-safe password (one that is unique and hard to guess) for each online service a person uses—and Dashlane automatically enters them rather than the user. The user does this by logging into to Dashlane’s desktop client or mobile app, where it stores the user’s passwords with a military-grade encryption algorithm. These passwords can be decrypted only with a master key that is chosen by the user and never stored on Dashlane’s servers.

The Takeaway:

FIDO Alliance’s technologies could eliminate the use of passwords altogether, but a gradual decrease in the reliance on passwords appears to be the more likely scenario in the next few years. In addition to the FIDO members and Apple, many other startups are bringing their own flavors of authentication software to the market.

Do you have a big question? Send suggestions to questionoftheweek@technologyreview.com.

Want to go ad free? No ad blockers needed.

Become an Insider
Already an Insider? Log in.
Want more award-winning journalism? Subscribe to Insider Plus.
  • Insider Plus {! insider.prices.plus !}*

    {! insider.display.menuOptionsLabel !}

    Everything included in Insider Basic, plus the digital magazine, extensive archive, ad-free web experience, and discounts to partner offerings and MIT Technology Review events.

    See details+

    Print + Digital Magazine (6 bi-monthly issues)

    Unlimited online access including all articles, multimedia, and more

    The Download newsletter with top tech stories delivered daily to your inbox

    Technology Review PDF magazine archive, including articles, images, and covers dating back to 1899

    10% Discount to MIT Technology Review events and MIT Press

    Ad-free website experience

/3
You've read of three free articles this month. for unlimited online access. You've read of three free articles this month. for unlimited online access. This is your last free article this month. for unlimited online access. You've read all your free articles this month. for unlimited online access. You've read of three free articles this month. for more, or for unlimited online access. for two more free articles, or for unlimited online access.