The passwords existence is something I hear more and more discussions about, especially near the end of a month, maybe prompted by people forgetting which password goes where as they’re trying to pay their bills. Every trade show I attend have an increasing amount of companies there claiming that they have THE solution that will eliminate the need for passwords once and for all.
The problem is not the password in itself but rather the human user. We as humans are lazy, we tend to fall in love with our clever creations (up to 73% of passwords are re-used), or take it after our pets. In order to overcome the situation the security tinkerers have been trying various versions of complicated policies. Does changing your password every month for your airline booking profile really make sense? Or CAPTCHAS, I get flagged as a bot whenever I need to figure out if a password is with a capital letter, a number, or both and that is more a bot-or-not warning system… Many of the solutions proposed to eliminate the password are two-factor solutions based on you having your smartphone as a proximity- or additional authentication-device.
Putting the burden of security on the end-users is not the answer
I assume that most people, at least from a UX-perspective, are not that fond of two-factor authentication. I find it completely backwards that many of these new allegedly password-eliminating solutions are based on two-factor, usually with your phone. Sure, I keep my phone on me practically all the time but that doesn’t keep me from getting unreasonably annoyed when I need to use it for traditional out-of-bound authentication. As a frequent traveler, where I can have high speed internet through fiberoptic cable but using my +46 Swedish number, getting told in my browser that I’ll get a security code via SMS, something I know won’t be able to reach me, is especially infuriating.
Multilayered security is more efficient than multifactor solutions
I agree that the need for the password is on the way out, however, I do think that a lot of people underestimate the time it’ll take to remove them completely. Considering how long we’ve used passwords and how bad a lot of people are at using them I don’t think there will be enough with one quick fix to remove them completely. If the site uses a multi-layered security solution that looks at more than just if the password matches the stored password the authentication isn’t a bad thing at all. With a modern security-system you can let your users use simple, easy to remember, passwords without compromising your security.
Today, multi-layered systems look at so many more variables than just the username and password. Things like device recognition, geo-location, geo-velocity, behavior analytics and, of course, behavioral biometrics. With all of these additional layers in place the need to replace a password isn’t as important as it is to be better at managing and minimizing false accepts and false rejects. Every layer adds more information and, the way I see it, more information is key when making automated security systems and freeing customer support staff from making and receiving, annoying phone calls to/from customers.
Don’t just focus on the walls, continuously authenticate the user
The strength of a perimeter defense doesn’t matter once there’s a breach, whether it’s the physical walls of Constantinople, Babylon or Antioch or more recent fortifications like the Maginot Line. The moment an attacker can breach or circumvent defenses they’re practically worthless, something that holds true when defending against cyber threats as well, something HBO, Yahoo, and countless more have had to learn the hard way.
It’s simply not enough to build metaphorical walls protecting accounts if there’s no further checks once the attacker gets through. That’s why I’m a strong advocate of continuous authentication, instead of trying to make the strongest wall user-friendly I think we should focus on user experience and keep the users safe continuously instead of just at the point of entry.
With behavioral biometric included in a multi-layered continuous security system, even a simple password can keep the account close to impregnable.