The end of the password is near. The brains at Google are experimenting with new authentication technologies for email, but it's not just our email that needs saving. Passwords everywhere don't work. The most optimistic thinking goes that with every new massive account info hack, companies will start adopting better technologies for protecting our user data, until one day the password is as much a relic as the floppy disk. For a look into what will come next, The Atlantic Wire spoke with security experts and analysts and the future without passwords involves a lot more passwords than we expected.
It Will Still Involve Passwords...
Despite Mat Honan's strong assertion in Wired last year that "the age of the password has come to an end," pretty much everyone we spoke with doubted that the password would disappear forever. The password will live. It just won't be the only means of security. "Most people will move away from relying on passwords as the only means of authentication," said Jeremy Grant, who heads The National Strategy for Trusted Identities in Cyberspace, a government organization working to advance the password ecosystem beyond passwords.
Rather, in the future, the password will be part of the security "constellation," as Forrester analyst Eve Maler put it. For the most important gateways to our lives, like email accounts, Google's 2-step authentication, which The Atlantic's James Fallows is a vocal proponent, combines a password and an ever-changing code sent via-text. The second aspect might look an awful lot like a password—Google texts a string of characters, for example. Or it might entail something more personalized, depending on the type of information we're trying to protect. But the password will still be in the mix.
While hacks loom, any extra steps means more of a burden for the user. Yes, having to go upstairs to get your phone is more annoying than remember 25 passwords. That hassle will never be worth it for certains things. Also, because of that perceived annoyance, it might take awhile for the multi-step thing to catch on, unless companies mandate it.
The Mobile Password
As far as extensions of our beings go, mobile phones do a pretty great job. Google's 2-factor process uses text messaging because people often have their phones right there with them. Cell phones are small, light, and mobile. But, they're also secure. Because of that and the proliferation of smartphones, Maler expects other companies will join this trend. (Some already have, PayPal for example has a very similar process as Google.)
The possibilities, however, extend beyond texting. Google, for example, has an Authenticator app that generates the code needed for the second part of authentication, changing the password every 10 seconds. Another company working with Grant, for example, is working with push notification technology, you know, those little alerts that pop up on smartphones when things happen. "You enter a username, the app pops up on your phone, asking you to push the green button or to push the red button," he explained. "Suddenly instead of having to carry an extra card, it's just an app on your smartphone."
A Computer That Recognizes You
It's possible, too, that the Internet could validate us without the middle-man. Those mobile solutions use our phones to say "this is the right person." In the future, computers might be able to just know it's us. "The system to just be able to recognize that you're exhibiting behavior that is you," said Grant. Banks already do this, to an extent. If someone makes a transaction from an obscure location, for example, that will trigger an alert. But, these systems could get smarter.
"There are companies that have been out there for years, looking at things like key strokes as biometrics," notes Grant. DARPA is researching that "keystroke dynamics" idea, for example. "Or with touch screens, you might have a certain pattern that you tend to use," he adds. Instead of an app on your phone, companies might require a mobile voice, facial, or eye-scan recognition for certain types of transactions.
A Physical Key
Just like the keys to our house, we might carry around a stick, or key-dongle, or card with us that gives access to our online data. That's the future Google sees: "The primary authenticator will be a token like this or some equivalent piece of hardware," write the Google inventors. These types of things already exist. A lot of government organizations require employees use a card to sign-in. World of Warcraft relies on RSA keychains. The problem, of course, is: what happens when you lose it? McMillan's solution: "you’d better report it stolen pretty quickly."
In every single one of the aforementioned solutions, a password is always the first step. Our passwordless future will still involve a lot of passwords. There may be no real escape.
This article is from the archive of our partner The Wire.