Having trouble remembering your password? How’d you like to forget it once and for all?
With so many password thefts recently—not to mention those who fall victim to their own password carelessness—organizations are moving to systems that use single-use temporary passwords or tokens instead.
“Authentication is serious business,” writes Jamie Talbot of Medium, which recently switched to such a system. “We wanted to make our sign-in process as secure and simple to use as possible, across all platforms. Passwords are neither secure nor simple. They’re hard to remember or easy to guess, everyone re-uses them (even though they know they shouldn’t), and they’re a pain to type on mobile. They don’t even keep you that safe.”
Passwords are inordinately vulnerable, agrees David Nield in ReadWrite. “They can be ‘brute-forced’ through trial and error, teased out of you with a cleverly worded email or IM message, applied to access numerous accounts—thanks to our insistence on using the same ones over and over—and easily leaked out onto the Web.”
Let’s face it: The two most popular passwords of last year were “123456” and—wait for it—“password.”
Some organizations enforce rules about password length, including numbers or special characters, and force users to change them frequently. The problem is, they then become so hard to remember that users write them down, as well as use the same password among different systems because they’re so hard to come up with. And those passwords are still vulnerable to a brute-force attack. “Through 20 years of effort, we’ve successfully trained everyone to use passwords that are hard for humans to remember, but easy for computers to guess,” writes Randall Munroe in the geek comic strip XKCD.
Okay, not everyone picks lousy passwords, Talbot concedes, in another piece called “Why Passwords Suck.” “Some people use 1Password and generate a 50-character random password for each site, and never re-use passwords, and never copy-paste them anywhere for friends, and never write them down on a Post-It note,” he writes. “Those people are probably safe with passwords. Are you one of those people? You should be one of these people. In the real world, people are not paranoid enough to do this.”
To help users avoid all the complications around passwords, whenever you want to sign into Medium now, the organization can send you an email message with a one-time sign-in link. “If you’ve ever used a ‘forgot password’ feature, it works a lot like that, except you don’t have to forget a password to use it,” Talbot explains.
While people may be concerned that an email link is less secure, that’s actually not the case, Talbot writes. “On most services, if someone guesses or cracks your password, they gain access to your account until you change your password, which might not be for a long time,” he notes. With an email-only system:
- You’re automatically notified when someone tries to sign in.
- The sign-in link expires after 15 minutes.
- The sign-in link can only be used once.
Yahoo! Mail began offering a similar system earlier this year that sends a token to a user’s smartphone to gain access to email. “The process is similar to “two-step verification” security models already used by other businesses, which requires you to enter a fixed password first, followed by another code sent to you by the company via text message,” writes Kerri Anne Renzulli in Money. “Yahoo’s system skips that whole first step.”
Other organizations are moving to biometric solutions such as fingerprint, facial, and iris scanners. Windows 10, for example, is expected to include a biometric feature called Windows Hello. The recent Samsung Galaxy S5 phone includes a fingerprint scanner that provides entry to PayPal, using the fingerprint and the phone as a sort of two-step authentication.
“You’re not just using your fingerprint to log in, but a combination of the right fingerprint and the right phone,” writes Russell Brandom in The Verge. “You’ve always got a finger and a phone, so logging in isn’t a problem, but the combination makes the security much, much harder to break. Either one can be duped individually (your phone could be stolen, your fingerprint could be copied), but duping both at once would be incredibly difficult.”
On the other hand—no pun intended—biometric systems have their own issues. For example, did you know we lose our fingerprints as we age? In addition, case law has ruled that law enforcement has the right to compel someone to give up their fingerprint when it’s used for security on their phone. There’s even talk of a “password pill” that you’d need to swallow each day, or a “password tattoo” that you’d wear on your hand.
Hmm. Maybe remembering passwords isn’t so bad after all?
Simplicity 2.0 is where we examine the intricate and transitory world of technology—through a Laserfiche lens. By keeping an eye on larger trends, we aim to make software that’s relevant to modern day workers, rather than build technology for technology’s sake.
Subscribe to Simplicity 2.0 and follow us on Twitter. If what we’re saying piques your interest, head over to Laserfiche.com where you’ll see how we apply the lessons learned on Simplicity 2.0 to our own processes, products and industry.