It is the second time in as many days that I’m having to log into things and change passwords because of some less-than smart design decisions various web companies made when implementing their password database (looking at you Linkedin and Last.FM).

While these companies have clearly made a dangerous snafu, lets not be overly harsh on them. There but for the grace of god go all software developers. The real problem is passwords, and until we find something better, this kind of thing will keep happening.

Lets look at it from a UX viewpoint as well a security one for a moment, because they’re both linked. People, myself included, are phenomenally bad at creating secure passwords and remembering them. Predictably enough, this results in the vast majority of users using one memorable (but as a result easily guessable) password for everything, and/or writing all their passwords down somewhere… both things that are a bad idea from a security point of view and often elicit derisive snorts from security professionals clearly blessed with an eidetic memory.

Moving past Username and Password

Computers should adapt to humans, not the other way round. Isn’t it time we stopped wasting time trying to patch a clearly broken system and build something else?

This is of course much easier said than done, and the two current alternatives to username/password authentication available – OpenID and OAuth – are not without their issues.

OpenID is nice and decentralised, but the UX is just awful. Sign in with a URL? Try explaining that one over the phone to your mum.

OAuth has the benefit of being super super easy for the user (one or two mouse clicks to log in), so long as you’ve got an account with a given site’s blessed identity broker (for all practical purposes either Google, Facebook or Twitter). This model nudges towards a centralised identity model which I find very uncomfortable.

This centralisation raises new issues of catastrophic single points of failure. Not only do you have the issue of the service being a prime target for crackers, you also have a far more insidious and arguably more likely problem, basically, what happens when the identity broker you use for your 1000s of accounts goes out of business?

Not to mention, all three of the main identity brokers still fundamentally identify you with a username and password. Google and Facebook have added second layer authentication to their accounts, but Twitter is yet to implement anything (so if you have a twitter account and use it for authentication anywhere make sure your password is really really good).

So, what can we do to make this better?

Myself, I’d like to move to some sort of two factor authentication (combining something you have with something you know), at least for really important accounts. More and more people have mobile phones so perhaps something similar to the Google authenticator model or SMS code authentication for new machine sign-in would be a start.

Whatever we use, it needs to be decentralised, secure, and fundamentally easy for people to use. Because if whatever fancy solution we come up with provides a barrier between the user and what they want to do, it will be useless. People will just work out ways of circumventing the security in order to get things done, or simply not use the service at all.

Today, the most secure password-protected system you can ever build can be defeated by one forgetful user and a post-it note.

5 thoughts on “Seriously, we need to get rid of passwords

  1. I’m convinced that using phones as the hub points for our identities online (and offline) would have a lot of net benefits – and this is one. Two-factor authentication is obviously far more secure, and could be made user friendly in the future easily.

    Imagine this:

    Your computer has NFC. So does your phone.

    You arrive at your desk, and place your phone by your computer, entering your usual unlock passcode on the handset. Automagically, the computer picks up your ID and preferences, so that, for example, you’re logged into Chrome.

    From then on, any authentication requires confirmation on your handset itself – requiring none of the usual password rigamarole, and a simple confirmation on your phone. Nothing to remember; easier for everyone.

    The same mechanics can work for sending messages to your contacts or adding new ones; just a blip on your phone if you happen to be in the same room. Your phone identity becomes the hub for your social activity, and as a result you get to use all of the communications methods available to it. (Perhaps using an aggregator or social backup, like a social version of Google Voice.)

    And, of course, if your phone gets stolen, you can deactivate it remotely. Because it’s a smartphone, and that’s what smartphones do.

    There are obviously some troubling parts to this. I’m actually not comfortable with requiring people to have a smartphone; they’re expensive, and it precludes (eg) lower-income people using the web in libraries. Socially, that doesn’t sit right with me.

    Anyway. This was the gist of my talk at Over the Air this last weekend; I ought to get a version of it online.

  2. Phone as a hub for this sort of thing is definitely where I think things are going to go, and combines something you have with something you know.

    However, yes, I don’t like the idea of requiring people to have them.

    What would be cool though is if the protocol for doing the authentication was open, that way you could have an app on your phone, or an appliance you buy, or even built into the chip in your bank card.

    We’d need a system where things fail gracefully back to other authentication methods, and perhaps even back to username and password for a while until everyone was on the new system (much as in the same way you could sign for purchases when using your credit card for a while until everyone was switched over to chip).

  3. Recently, I came across a start up in London called PixelPin (They entered a start-up competition the start-up I work for also entered). Their idea is to use personal pictures for authentication. In terms of user-friendliness, it seems to have huge benefits.

  4. Hmm… so something along the lines of picking a picture of your granny and your cats from a grid of a load of other images?

    Could be pretty good, provided the store of random images was large enough so as to make statistical analysis hard.

Leave a Reply