It's Finally Time for the Password to Die

We've been promised a post-password future. Many of the web's brightest minds and deepest wallets are working on making it happen. There are dozens of ideas on the table, some that sound like they’re straight out of a sci-fi movie. Yet, we’re still typing in “monkey_58” to access our bank accounts. And why?

It's time for the password to die. Let's do this.

It’s no surprise to anyone that the password is the Achilles’ heel of digital security. The premise is fundamentally flawed in today’s web economy, because A) we can’t remember any of the hundreds of disparate codes we’ve chosen for the myriad accounts we own, and B) we don’t even need to since browsers and apps automatically store them, which is troubling in its own right because it leaves these personal keys far too vulnerable to getting hacked and cracked. It happens all the time.

The good news is that experts have come up with a better way. Multiple better ways. The bad news is none of them work together—there are different protocols for different technologies, and websites have to decide which to choose. Learning hundreds of next-gen authentication systems is no less cumbersome for users than memorizing hundreds of passwords, and so we’re at a stalemate until the industry rallies around one standard. The race is on.

The looming demise of passwords made headlines over the last week. First there was the news that Microsoft is joining the FIDO Alliance, a group working to obliterate the password by developing an internet-wide protocol for an interoperable secure and private authentication ecosystem. That mouthful basically means it's creating a basic framework to allow the entire web to switch over to a more sensible way of verifying people's identity.

FIDO, short for fast identity online, wants to make two-step authentication the norm and make use of hardware, like your cell phone, to add in physical proof. To verify you’re the owner of your device, the system could use any of the high-tech biometric IDs we keep hearing about: fingerprint readers, iris scanners, voice or facial recognition, gadgets that listen to your heartbeat or even read your mind to verify your thoughts. It could also make use of ID “tokens” like Smart Cards or security chips in phones.

Step two, the system sets up a “cryptographic string,” like a personal key or pin, to verify your device-linked identity with the website or application you’re trying to access. The FIDO software processes the key but never sends the password information out into the web. In the end, it's the same concept as using both a debit card and PIN to access your bank account. Or a website texting a code to a device it's verified as yours that you then use to log into the site: You prove your identity with something you know and something you have.

The trick is to get companies to adopt the system—i.e. download the software onto their servers—on a wide scale. Then to get users to opt in. The alliance hopes that with Microsoft joining the board, which already includes Google, Blackberry and other heavyweights, there's new hope of implementing the framework soon and with a wide reach.

But it’s not the only post-password game in town. Other private companies, including a slew of startups and some tech giants, have their own schemes to replace the antiquated passcode.

A few of these companies got a writeup yesterday in The New York Times, namely the San Francisco startup Clef. It offers a mobile app that sends an encrypted key from your phone to computer through the phone's camera, creating a digital signature. Any website using the technology prompts a QR code-like "Clef Wave" each time you go to log in, and you wave the phone in front of the code to sign in.

Other upstarts like OneID or LaunchKey also use smartphones and digital keys as login tools (are you sensing a trend yet?), but none stand a chance without widespread adoption from websites and users. Clef thinks it’s found a way around this hurdle. Instead of recruiting sites one by one to use its system, it skirted around permissions by developing a universal login feature. It just launched a browser plug-in called Waltz that it claims will make the app work across the web.

"The problem was adoption—it only worked on a few sites—so I built Waltz rather than waiting for the developers at Facebook or Amazon to implement Clef," Joe Wegner, the web designer who developed the plug-in, told the Times.

Even though security experts worry there are too many holes in the browser app’s authentication system, surely Waltz won’t be the last startup to try to dominate the space. Who will finally put the last nail in the passcode’s coffin? The most user-friendly design out of Silicon Valley? Facebook or Google pushing sites to use their social media logins for access? The engineers that build the protocols for the internet? Is it going to be a tug-of-war for the next two years? Let's hope not. This password business has got to go.

@meghaneal