It seems to be the general consensus these days that passwords as we know them are on the way out. As far back as November of last year, Wired’s Mat Honan declared that, “The age of the password is over, we just haven’t realized it yet,” in a piece entitled, “Kill the Password: Why a String of Characters Can’t Protect Us Anymore” (which also does a great job of enumerating why passwords are approaching obsoletion).
So while tech journalists all over the web are predicting the imminent death of the password as the standard means of authentication we wanted to explore some of the technologies in development that could ultimately take its place. Some of these technologies have already been introduced to the market while others are still in the developmental stages, but all appear to be promising candidates for the future of authentication:
Okay, so this one doesn’t exactly have the “space-age” appeal of some of the other prospective authentication technologies but it is effective, and it’s already being widely implemented by major players like Google and Facebook.
The idea is simple. Your account is tethered to your phone number, and upon successful login with a standard password, a one-time code (in this case, a meaningless string of characters) will be texted to your phone. You’ll then be prompted to enter this code before accessing your account.
While the 2-step password is quickly gaining popularity thanks in part to the Atlantic’s James Fallows (who authored article bluntly titled “Turn On Gmail’s ‘2-Step Verification.’ Now.”), the added security that it provides comes at the cost of convenience. For this reason, 2-step passwords may not catch on unless required by companies.
Also problematic is the inevitability of lost, stolen, or damaged phones. While there are ways in place to regain access to your account, most come with security liabilities of their own, and none are foolproof enough to ensure that you won’t be locked out of your accounts for at least a few hours.
Another possibility for the future of authentication is the use of biometrics — that is, physical or behavioral traits — to establish your identity. Biometric methods of authentication have been in limited use since the early 80’s but until the past decade or so were far too costly, intrusive, and slow for widespread commercial use.
Now, with the ever-increasing capabilities and continually shrinking cost of computer hardware, biometrics have returned as a viable option for user authentication, and are generally considered the most secure method of authentication (Y’know, since stealing a fingerprint or an eye is considerably more difficult than stealing a password).
Historically biometrics have used static information like fingerprint, facial, or retinal recognition to authenticate the identity of users. At this point, fingerprint recognition is still the dominant type of biometric authentication due to its simplicity of use the small amount of space required.
As these static forms of biometric authentication become more common though, they also become less secure. For this reason, dynamic biometrics technologies like Google’s recent patent for imaging software that recognizes facial gestures are gaining popularity as a more secure alternative.
While Google’s idea involves using specific facial expressions to gain access to accounts and devices, there are several other types of dynamic biometrics in use as well. Signature dynamics, rather than relying on the image of your signature, record variables like pressure and writing speed as you sign, making forgery next to impossible. Keystroke dynamics work in much the same way, but use variables like the pressure and speed of your keystrokes as you type a password.
Another of the less glamorous possibilities for future authentication is that you may carry around a physical key with your unique login information. This could be something like a USB flash drive that you would insert into your computer, or some sort of token that wirelessly communicates with your computer.
Similar ideas are already in use by some government agencies, where authorized employees must swipe their identification cards to log in. Additionally, massively-multiplayer online game World of Warcraft uses RSA key dongles to allow players to sign in.
The most obvious prospective problem with this idea is that these keys would almost certainly be small and as we all know, small things can be very easy to lose. Users who lose their key would be responsible for reporting it stolen, much like a credit card, at which point the key would be deactivated and a replacement provided (for a fee, of course).
And now we get to the fun part.
At this year’s All Things Digital D11 conference former head of DARPA and current head of advanced research at Motorola, Regina Dugan presented another novel (and arguably creepy) idea for future authentication, “…that you could simply wear on your skin, every day for a week at a time, say an electronic tattoo.” Called a “biostamp”, these “tattoos” would contain antennae and sensors that would operate in much the same way as a physical key, just much smaller and applied to your skin with a rubber stamp.
Dugan even came sporting a prototype biostamp made by electronics innovator MC10. Dugan foresees biostamps being available in, “colorful, cool design options,” and thinks the tattoos will go over well with rebellious teens, “…if only to piss off their parents.”
Some may be put off by the idea of an electronic identification device attached to their bodies for fear of a dystopian future, but at this point biostamps are only designed to last a week at a time, and are only capable of lasting up to a couple of weeks.
Therein lies a problem less exciting to our Hollywood-conditioned sensibilities: How would they be replaced? If individuals kept “packs” of replacement biostamps, what about the possibility of theft? As exciting as this technology is, there are still unanswered questions about its realistic application.
The other futuristic (and mildly disturbing) possibility presented by Dugan was that of an authentication vitamin. She brought along an example produced by Proteus which is already being used in healthcare.
The pill would be powered by the acid in your stomach and would give off, “an 18-bit ECG-like signal,” according to Dugan.
Dugan’s presentation left a few unanswered questions about this technology as well. The password pill would inevitably be… passed, bringing us to the question of replacements. How would they be obtained and stored, and would there be a way to invalidate stolen pills?
A Future Without Passwords?
Probably not. The bottom line is that despite all the hubbub about the death of the password, passwords will continue to be an important part of the world of digital identity authentication, but will be used in conjunction with these new technologies, as well as ones that have yet to be developed.
In the coming years, you’ll likely continue using traditional username and password login credentials for many of your online tasks, simply because they are the cheapest option for businesses, and the easiest (though far from the most secure) option for consumers.
Don’t be surprised if in the next couple of years some services start requiring you to have your phone handy for login, though. As smartphones become more and more ubiquitous, and as tech-savvy millennials become a greater part of the digital market, you can expect digital security and authentication to remain a popular topic of discussion, as well as a growing professional field.