Industry experts have been sounding the death knell for passwords for some time. Speaking in
2004, Bill Gates claimed the password could not meet the challenge of keeping information secure, and predicted its demise.
Yet 12 years on, it’s still alive. So, are reports of its death premature? And could the password see a new lease of life in the digital age?
Passwords no longer passing muster
I don’t know about you, but I think that the average person has just too many passwords to remember. 90 at the last count, according to password management company Dashlane. This leads to poor ‘password hygiene’ — choosing weak, easy-to-remember passwords, reusing them across websites, writing them down – according to an RS2 Blog.
According to a recent survey by mobile identity solution provider, Telesign, 69% of security professionals believe usernames and passwords alone no longer provide sufficient security. 72% believe that their company will do away with passwords by 2025. So, if static passwords are no longer passing muster, what are the alternatives?
Biometrics is booming
Fingerprints, face, voice and iris recognition, eye prints, finger veins and heartbeats. The use of ‘something you are’ or inherence for identity and verification within financial services is on the rise.
As a snapshot of biometric activities, Gulf Bank has announced the Middle East’s first ‘blinking to bank’ biometric mobile banking app, which combines facial and fingerprint recognition. Barclays is rolling out voice recognition technology to its personal banking customers. And Worldpay has piloted finger vein recognition technology in its staff canteen.
Biometrics are harder to fake than passwords, particularly in the case of methods with in-built ‘liveness’ detection. There is the field of behaviometrics on trusted devices. The triangulation of multiple data sources from a mobile phone can help to authenticate users. Then there is the social element — the ‘So’ from ‘SoLoMo’ (social, local, mobile). Social media activity, online reputation, credit and employment history combined can provide a unique fingerprint.
“Reports of my death are greatly exaggerated”
Combination is key; and therein lies the future of passwords. While static, password-only security is on the way out, I predict that passwords themselves will survive for some years to come. They will complement other factors (e.g. biometrics, behaviometrics, and the social graph) in a layered approach.
The nature of authentication is changing. As well as encompassing new data sources, it is moving from the historic to the current (even real-time). From the static to the dynamic. From the active to the passive. If authentication becomes a continual background process rather than an interaction with the user, this will shape the future of passwords. They may become a form of step-up authentication for extra security, rather than an automatic default.
Make no mistake, passwords will be around for the foreseeable future. Or as Mark Twain quipped on learning that his obituary had been published: “Reports of my death are greatly exaggerated.”