In earlier years, matching a user ID to his secret password was considered the ultimate in security. Despite some users who actually used "password" as their password, the method worked relatively well for securing workstations or stand-alone computers. Even when the public began to flock to the Internet to conduct online shopping or send emails, the password kept them fairly well protected.
Unfortunately, easy access to the Internet brought a new breed of criminal -- those who steal users' personal information and credit card data. These perpetrators can log in from virtually any country, making them notoriously difficult to track, apprehend and prosecute. In most cases, these criminals are highly skilled and knowledgeable, and in some cases, they have not only the support of their governments, but also government funding.
The problem was exacerbated by the rapid growth of mobile devices. Securing a cell phone transmission, for example, is extremely difficult; worse, considering the number of phones left in taxis or otherwise lost, it is impossible to assume that a mobile device in use is actually in the hands of the rightful owner.
In recent years, there have been a number of security breaches that have been highly publicized. Facebook, PayPal, eBay and other high-profile sites have fallen prey to hackers. In early 2014, the infamous Heartbleed vulnerability was exposed, and users were strongly urged to change their passwords to protect their data. Even shopping at a brick-and-mortar store became problematic -- witness the massive data breach suffered by Target.
The Move to Eliminate Passwords
Because of these breaches, there have been some in the industry who urge the elimination of passwords. They claim passwords simply do not work; passwords have become obsolete, and security needs to evolve to a higher level. Different ideas have been bandied about as offering a secure alternative to passwords, including the use of biometrics, such as the user's voiceprint or fingerprint, to validate identity. Other options include more hoops for users to jump through, ranging from security questions to one-time passwords and authentication tokens.
The fact is that there are significant risks and implications when using human biometrics, such as fingerprints for online authentication. Many would argue that these risks far outweigh their potential security benefits. While biometrics can be reliable as unique human identifiers, they are best in controlled environments and closed systems, none of which applies to the online world. As an example, we leave our fingerprints exposed to collection hundreds of times a day as we interact with objects in our work and home environments. This makes it all too easy for criminals to capture, digitalize and use or sell our fingerprints if they ever become a mainstream authentication factor. The uniqueness and permanence that is most desirable for authentication will become their primary vulnerability and introduce an instant black market for fingerprint collection. In other words, fingerprints don’t make good secrets and secrets are the basis for online security. Reliability problems come into play for voice and facial recognition in online authentication.
Why Passwords Aren't Going Away
From the very beginning of the computer age, passwords have been a primary method of securing access. They are the most affordable and widely adopted method of authentication used and this is unlikely to change any time soon. Most internet users have accepted and become proficient with the use of passwords and PIN’s and the fact that they can be changed over time is a major security benefit. There is no doubt that increased online service adoption has complicated password management but it would be better to address this than to abandon the use of passwords all together.
What the online world needs is the addition of a frictionless authentication factor that protects passwords and PIN’s from capture and exploitation, simplifies password use and management, and strengthens the security of online access.