The new end of passwords

David García    11 May, 2022
Login screen for Instagram mobile

Legend has it that it wasn’t long after someone invented doors that locks were created. In ancient Egypt, an ingenious primitive mechanism was already in use that allowed a hook to be inserted through a hole as a key to move the wedges that acted as cylinders on a pin. These ingenious devices were perfected until they became the modern locks that we have in front of us today to curb the excesses of curiosity or empathy for other people’s belongings.

Moving away from the physical plane, in the digital world, locks are forms with two little boxes and a button, and keys are strings of characters. In the early days, when modern internet users could fit into a couple of first division football stadiums, those “keys” were as simple as counting to five, i.e., “12345”. Of course, it was just the seed for a well-known disaster.

We don’t know how to create strong passwords

And we can’t memorise them either. Let’s add to this mix the unhealthy ability we have to reuse passwords on dozens of sites where we open accounts. But isn’t it easy to carry a simple master key to open all our doors? Of course, it is, and that’s what the (now digitalised) thieves love to do every time they get your pet’s name or the date of your birthday. One password, thousands of websites. A bargain.

Second authentication factor, secure key generation algorithm, CAPTCHA systems to detect bots, password managers in the cloud… patches and patches and patches and patches on top of these to mend an exhausted system, concluded, obsolete, called to extinction, vilified and outdated… but, mind you, universal, ubiquitous, unanimous and anointed for being unique and unrivalled. What other alternatives do we have?

As on the physical plane, locks do not have many competitors, although they change shape (and there are even those with facial recognition), in the end it is the same thing: a shutter that moves, leaving the way open to the supposed bearers of the right to access and enjoy the contents of that which they guard.

However, doors and locks are not as driven by research and initiatives as the digital world in which we move on a daily basis (and at ungodly hours too), so the progressive abandonment of the headache of passwords was a problem that needed to be addressed and whose solution was to put an agreement on the table to standardise “something” that would allow, once and for all, to discard a mechanism more typical of the previous century than of this interesting and busy century.

Transparent passwords

At last, half of GAFAM and the FIDO Alliance in conjunction have signed a principle to push for a common mechanism to free our memory (the grey one, not the silicon one) from the tediousness of remembering or managing passwords. Could we be living in the historical moment where the last human being enters a password to access his or her binary piggy banks? Probably not yet. It’s a long way off, but as we said at the beginning, it’s a start. A first step already taken to walk a long road that is not going to be exactly flat.

OK, but how exactly are we going to stop using passwords? What would be used instead? Well, strangely enough, we are not going to stop using them in a certain way or, rather, form. You simply won’t use passwords, it will be a transparent action for you.

It takes advantage of a number of items that are already widespread among the public: diversity of devices federated into a personal or distinguishable identity and the ability of these devices to offer biometric sensor features.

Case studies

All with a front camera and two of them with fingerprint reading capability. They don’t have to be from the same manufacturer, but surely, in most cases, the same person has the same identity under one, two or even three providers. Do you access the mobile terminal? You can do it with your fingerprint or with facial recognition.  Even laptops allow access with fingerprint (Apple’s Touch ID) or facial recognition (Microsoft’s Windows Hello).

Now picture that all these manufacturers (who are also, let’s not forget, identity providers) agree and allow a single identity to be used for all devices. You open your account once and that same identity is used on all your other systems. Sounds good, doesn’t it?

What if you now make it possible for a third party, on a website, to use that same system? Easy, you enter the identity saved on your device and on that or another device (from laptop to mobile and vice versa) it asks you to put your fingerprint or face. No password travelling, no password or hash is stored on the website, there is nothing an attacker can use to guess your password because it simply doesn’t exist. There’s no point in snooping through your social networks to guess your birthday or a pet’s name

Some of the challenges

Of course, in all these advantages, there are some points that need to be elaborated in order to be fair. The first and most important of all is privacy. That quality that no one misses until it is too late to repent and remedy. Once you hand over control of your bunch of digital keys to a third party they will know at all times where, when and with which device you are visiting which site.

The second, less likely but not impossible, is that an integrity failure in the identity provider can be catastrophic. Very catastrophic. Security is better (albeit more complex) when the weights (the risk) are distributed and it has never been a principle of this science to place the weight of a whole virtual life on a single point.

Let’s also talk about the third point: availability. What if you need to make an urgent transfer and your provider’s servers have a meltdown at that moment and do not recover until many moments later?

Bonus, fourth point: What if you wake up one morning and suddenly a machine learning-based automated system randomly decides that your account is fraudulent and deletes it? Where is the customer service desk? Hello, is anyone there? Hello? Can anyone hear me? My name is K, and I can’t access my money?

We can only celebrate the beginning of the farewell to passwords, even if there is still a long way to go, but we must also be critical of those who claim to be guarding what is ours, and we must be wary of betting with caution. We will see what the arrival of these new capabilities has in store for us and, above all, what alternatives are available for those who do not want or find it an inconvenient convenience.

Leave a Reply

Your email address will not be published.