When the Heartbleed bug was discovered in April 2015 it cast a light on the problem of password vulnerabilities. Since then, or even before, IT departments have increased password requirements for both administrators and end users. Some organizations now require passwords of 13 characters or more that must contain certain combinations of letters, numbers and symbols, and must be refreshed as often as every six weeks. These requirements have led frustrated users to reuse the same password over multiple accounts or to write down the password and keep it in a supposed safe place. The increased vigilance is causing behavior that leads to less secure systems and accounts. What is the answer? Bill Gates declared the password dead in 2004 but they are still very much alive in 2016. For this blog post I set out to find acceptable alternatives to this problem.
Two Factor Authentication
While double identification does not remove the need for a password, it does make an account more secure. This is an option available now for Twitter and other accounts and can be set up in your profile. With this system, you enter the standard password and then enter a separate six digit code that is sent to your smartphone at the time of log in. It is a step towards more secure accounts and systems.
Google takes two factor authentication one step further with a device that uses public key cryptography. This is a small USB device that provides a second authentication for Google apps, Gmail, Dropbox, and other applications. You plug the device into a computer to verify your identity. Near field communication or low power Bluetooth will be used soon to eliminate the physical connection.
Apple and Samsung are adding biometric authentication to their newest smartphones and tablets. This eliminates passwords completely by identifying you from your fingerprint. It is as easy as placing your finger or thumb on the screen before unlocking your phone or apps and would keep a lost or stolen smartphone secure.
The Myris portable retinal scanner from Eyelock allows you to log in to websites and applications via a quick retinal scan. Once you establish an image of your retina through video capture, you simply glance into the USB device to gain access to applications.
The Nymi heartbeat scanner is in development now and is another way to authenticate users via biometrics. This is a bracelet that records your heartbeat and then uses that to identify you to systems such as computers, door locks, and retail computers that would normally require a PIN or password. The software developer kit is available now and the product will be out soon.
All of these are attempts to easily identify an individual by a unique pattern and not by a password they carry around in their head (or wallet). The next logical step would be to present DNA, but I am not sure yet how that can be captured.
Bill Gates may have been premature in declaring the password dead but I hope that he is on the right track. I struggle to remember all of my logins and passwords and I could use help. Have you found a reliable and safe alternative to passwords? Do you use or trust biometrics? Let me know your thoughts so that I can start using the password portion of my brain for better things.
Kelly Brown is an IT professional and assistant professor of practice for the UO Applied Information Management Master’s Degree Program. He writes about IT and business topics that keep him up at night.