Recently, Google's email service Gmail made a tiny change to its log-in procedure. A first screen asks for a username and leads to a separate screen asking for a password. It's a sign of big things to come.
Omer Karatas, a co-founder of the digital security start-up Saaspass, recently told me that participants in April's RSA conference in San Francisco--a forum for cryptographers and cyber-security professionals--were in broad agreement that passwords were an unacceptable risk.
"There was a panel with the heads of security of Dropbox, Amazon Web Services, Rackspace, Google for Work, Microsoft 365," Karatas said, "and when asked about what the biggest issue for the Internet that needed solving, it was like a chorus: 'Passwords need to go.' The only question is how.'"
In an announcement about the new Gmail log-in screen, Google mentioned it was "working toward introducing new authentication solutions that complement traditional passwords." Splitting the log-in page was a step in this direction, but the goal is to eliminate passwords entirely.
Most computer breaches involve password theft. Hackers can steal them by invading corporate systems--they have accumulated millions of stolen username-password combinations--or by picking weak passwords by brute force, which is what apparently happened with the mass theft of nude celebrity pictures from Apple's iCloud last year.
No matter how much companies invest in security, there can always be a vulnerability. LinkedIn users have sued the company for weak security that allowed hackers to obtain millions of passwords, but they continue to be vulnerable. And no matter how often people are told to create separate, strong passwords for every application, they will keep using their birthdays and children's names, because our memories are finite.
Technology that identifies users without a password already exists. Google recently presented its advances in facial recognition technology based on artificial intelligence. Intel promises to release an app that will replace passwords with facial scans.
The latest version of Google's Android mobile operating system provides for unlocking a phone when it is connected to a trusted Bluetooth device or a near-field communication tag, or even when the user is in a "trusted location"--the phone's geolocation feature takes care of that.
There are identification techniques based on scanning barcodes with a mobile phone: Saaspass, which has 60 people working on eliminating passwords, uses this technology, among others. Another solution is to generate one-time access codes that are sent to a user's phone or produced by a special app. That's what Google uses for so-called two-factor authentication, a feature it pushes to Gmail users.
Fingerprint scanners, whose price is expected to drop below $5, making it possible to include them in the cheapest phones, are another possibility.
All of these authentication techniques, however, still require the use of a password. A phone can be stolen, the location feature can be misled, and there have been successful hacks of fingerprint scanners, as well as embarrassing accidents with facial recognition systems. Besides, it's always harder to breach one level of defense than two.
Another problem is that many of the inventive identification methods are available only to people with the newest gadgets running the most up-to-date software. But the world is full of late adopters and non-adopters, and major Internet companies such as Google and Facebook cannot afford to demand that all their users upgrade their equipment to be safe.
The solution will probably be a combination of two non-password authentication methods--say, facial recognition and a phone running a code-generating app, or a fingerprint scan and a text message. Then no one will need to store or remember passwords, and fingerprint scans from a corporate database will be useless to thieves. That, however, won't happen until companies are reasonably sure the technology is reliable.
Editorial on 05/24/2015