Memorizing numerous passwords is inconvenient. This is known. To counteract said inconvenience, many people use memorable (read: hackable) passwords on multiple sites. Which is a shame because security experts advise that, at a minimum, we use different, random, alpha-numeric strings for every website and switch them out every few months. Kind of the opposite of convenient. And even this method provides but a fig leaf of security.
Google knows all this. So, in a soon-to-released paper they’ll outline their preferred solution—a USB stick called Yubikey. Yubikey is a small USB-compatible security stick that draws power from your PC (no battery) to generate and send a one-time-use random authentication password on your behalf. Eventually, Google wants to go wireless with the technology, implanting it in cellphones or specially equipped rings.
Trash talking passwords isn’t in any sense new, and Google’s been at it for a few years. In 2010, they instituted two-step verification—adding a texted code to user passwords. Two-step verification is more secure because it relies on something you know (your password) and something you have (your phone).
Two-step verification and password generating key fobs may make accounts more secure than they are currently—but you can still lose your phone or Yubikey. What else is out there?
Biometrics are an already common alternative solution used on local machines like laptops. Human fingerprints and irises are like snowflakes—complex and unique. Biometric security scans a body part like your thumb, iris, or even entire face to prove your identity. The idea is you won’t (hopefully) lose these identifying characteristics, and they are difficult to duplicate. There is no reason biometrics can’t be used to enhance online security—perhaps by developing scanner apps for smart phones.
Meanwhile, the Defense Advanced Projects Agency (DARPA) wants to identify users by their keystrokes. According to researchers at Carnegie Mellon University, the way we type is as distinctive as our handwriting. Prolonged pauses between certain letters or the rhythm with which we type words are distinctive identifiers. A computer equipped to recognize such nuances would know you as soon as you’d typed in a username and could even monitor your patterns throughout a session.
Of course, neither of these options is foolproof—fake hands designed from pilfered fingerprints can fool biometric devices. And a hacker can record keystrokes, perhaps enabling them to mimic your typing style. The truth is, there may never be a perfect method of cybersecurity—one can only hope to throw enough roadblocks up to slow or dissuade potential hackers.
But just about anything is better than a password. So the question is: Alternative technologies have been around for awhile—why haven’t they gone mainstream?
Password security is inconvenient for users—but convenient for online businesses. To create real change, service providers need to adopt new methods in sufficient numbers to make them useful. The good news is that if anyone has the clout to persuade web sites to support non-password security, it’s Google. And to speed the process, Google says they’ve already built and will make available an independent protocol that online businesses can use to set up device-based authentication.
So, maybe this time we really are about to do away with passwords. More intriguing is whether they’ll be replaced with the Google ring, biometrics, behavioral recognition—or something more revolutionary.