Is the password done and dusted?

Everything on the Web has an analogy in the real world. Like passwords can be equated to locks and keys in the real world. It is so interesting that while the world is getting smarter infusing a bit or artificial intelligence into everything around us, something so fundamental as the lock and key still hasn’t lost its place. We still carry our house keys with us, right? And we still create and remember passwords. The password is something that has held its forte withstanding the onslaught of time and in doing so, it has served us well. But then nothing lasts forever.

So, the questions we are raising here are two and of such wide implications as to affect every person existing. One is about the longevity and expectancy of the password while the second is a question on the same parameters albeit of the metal lock and key we are so accustomed to using. We can’t answer both questions so we will leave the second as food for deep thought. The first is, however, within the purview of this post.

Passwords are simple beings. But yet, are one of the most fundamentally strong entities surviving on their own and securing much more advanced systems while not having to evolve continually. But then, they may be nearing their end if experiments by the world’s tech giants bear fruit, although not immediately. Search giant Google is planning to bring password-free logins to Android apps by this year end. That is signal enough that the world is looking to move beyond the ubiquitous password. It is hard but the world is trying. This again raises the question as to why one would attempt discarding the password when it is the simplest piece of technology in use today. Well, it’s a long story.

How passwords are bad?

Passwords are great but also sometimes quite bad but can’t easily be discarded which means alternate technologies had to be developed to counter the negatives of passwords. Also, it’s nothing inherently wrong with the password but with the human mind itself. For instance, it’s really hard for a person juggling 10 to 20 different kinds of online accounts making it really hard to remember all of the associated passwords. Many people forget and that can lead to frustrating situations. Often, it is not possible to use the same password everywhere plus the fact that it is a security risk. Which is why solutions like the Single Sign-On and Social Login were conceived so as to allow people to duplicate their accounts and use the same account on multiple domains without having to create a new user account on each website they deal with.

Are passwords the only authentication mechanisms currently in use?

Before going into the modes of authentication, it is apt to describe what authentication actually helps with. In its basic form, authentication helps a network system (or a computer) decide if a person seeking login into the network is actually that person. And passwords work because only those persons who are supposed to login know it and so the network assumes that the person typing in the correct username and password is genuine. And so passwords have been excellent authentication mechanisms. But then, the strength of the password is the flaw per se. If someone steals your password, he or she is you. As simple as that.

Is there something to be done?

Of course. That’s how two factor or multi-factor authentication systems came about. Biometrics came to be involved but are mostly used in high risk and high value banking and financial transactions. However, some of the next gen phones like the Apple iPhone 5S and OnePlus 2 came to have fingerprint scanners on them introducing extra layers of security over the traditional passwords. Or something like a hard token device that generates a random password over your usual password. Simpler is the One Time Password (OTP) that is sent to mobile phones for extra verification.

Do these add more security? Are they foolproof?

Yes, they do more security to the account being operated. But, no, they are not foolproof. For instance, an imposter who knows your password can also steal your fingerprint easily and your mobile phone (just have to snatch it away at a good place). Unless it’s really advanced biometrics, it is not really tough to crack the security but for the purpose of securing low value accounts, they do work well.

So what’s Google talking about?

Google has been on a quest to improve their search results as much as possible till the point that you just think of a query and Google gives your results. Part of that is their improvement to every side of our daily life in terms of voice search, tracking and what not. And that is why Google announced at its I/O developer conference about its Project Abacus (they did so in the previous edition too but more elaborately this time around) that it will continuously collect data in the background about your activity on the mobile phone and then, based on that pattern of data, decide if it’s really you. The defence to this method of authentication is that there is no way someone else can impersonate you. Well, at least nobody yet has probably tried to find out a way to do it. In essence, the password is to be displaced by the behavioral data captured continuously to detect if it’s actually you. That might be the future of authentication going from authorization based on static data to dynamic data. The movement has already begun.

So, is it the end of the password we know?

This is a tough question but the end of the password may not come so soon, after all. Fingerprint sensors are not so common yet though they might not be the future of authentication. But even if it’s behavioral data, unless a lot of people are convinced of its gatekeeping abilities, it is premature to say that the password is done forever. But it must also be said that once the proof of concept shows that behavioral data can work to protect devices and accounts, changes will be swift.