USAToday Column

June 18, 2015
Passwords must die

By Bob O'Donnell

FOSTER CITY, Calif. — OK, let's just call it. Passwords have got to go. We know it. Technology device vendors know it. Website publishers know it. Retailers know it. Banks know it, and on and on and on.

Yet, we're still logging into our devices, services, websites and more with passwords every day. The obvious question is, why?

It turns out enabling alternative methods to prove we are who we say we are — otherwise known as authentication — isn't that easy.

For one thing, there have to be agreed-upon standards for enabling authentication, and they have to be shared across devices, operating systems, websites and all the tech-related services we regularly use.

Another key issue is what's politely known as a "people problem."

We're all too lazy. We don't want to take the extra steps that are often necessary to use the more secure methods of logging into various systems. We get annoyed if our banks force us to not only remember a username and password, but also a special image that we've associated with our accounts.

These types of dual-factor authentication mechanisms (meaning, they require two different steps to verify our identity) are known to offer better security than simple logins, but the percentage of people who choose to use them is abysmally low.

And yet, the warning signs are all around us — Target, Home Depot, the U.S. government. Last week, ironically, a site called LastPass that was designed to provide a service in which a single master password could be used to protect all your other passwords was hacked. The company claims that, thanks to data encryption, people's passwords should be safe. But it still makes you wonder.
At this point, I'm frankly in shock that we are all still so dependent on what is clearly a horrifically broken security model, particularly as more and more of our lives' information and activity moves online.

Thankfully, there are positive developments towards password replacement, and more are coming soon.

The most promising long-term solution is biometrics, such as fingerprint scanners, which leverage sensors that can read a distinctive characteristic of your body, to uniquely identify you. The beauty of biometrics is that, because every one of us is biologically inimitable, a strong biometric system can provide a single unique password that only you should be able to use everywhere. Oh, and it's impossible to forget.

Biometric sensors still aren't perfect — as those of you who've struggled with faulty fingerprint readers already know, but they're getting a lot better. Plus, there is a whole raft of new biometric technologies on their way, including facial recognition using 3-D cameras like Intel's RealSense, iris scanning using the camera built into your smartphone or other device, and even wearables like the long-awaited Nymi Band, which can identify you through an electrocardiogram of your heartbeat captured via a simple wristband.

In addition to new technologies, there are important movements around critical standards as well. The FIDO (Fast Identity Online) Alliance — whose membership includes everyone from tech component suppliers such as Synaptics, ARM and Qualcomm to Bank of America, Visa and PayPal — is making good progress in driving the creation of protocols to share these kinds of password-less authentication methods between devices, operating systems, services and more.

In fact, Microsoft has announced it is supporting biometric authentication and FIDO Alliance standards in the forthcoming Windows 10 OS in a feature called Windows Hello. On an appropriately equipped PC (one with a Windows Hello-compatible biometric sensor), not only will you be able to securely log into your PC with just your physical presence, but also into any Microsoft service or other web site that conforms to Microsoft's Passport identity management service.

Some of these new technologies sound pretty science fiction-like, but it won't be long before simply touching, looking at, or wearing a device will give us fast, seamless, secure access to our devices, services, accounts and eventually even our homes and cars.

I, for one, am more excited about developments in this area than I am any other new gadget or gizmo, because this is going to make our lives, and our data, easier and more secure. In an increasingly digital world, it doesn't get more important than that.

Bob O'Donnell is founder and chief analyst of TECHnalysis Research, a market research firm that provides strategic consulting and market research services to the tech industry. You can follow him on Twitter @bobodtech.

Here's a link to the original column: http://www.usatoday.com/story/tech/columnist/2015/06/18/passwords-must-die/28929523/