Forget the password. No, really! They're about to become obsolete

New web standards promise an end to remembering numbers and letters
With new web authentification standards on the way, users may soon be able to access email without having to remember a password. (Pixabay)
Listen8:20

"1-2-3-4-5-6. P-a-s-s-w-o-r-d. Q-w-e-r-t-y."

Those are the three most popular passwords in use today, according to Wikipedia. And no wonder: coming up with a unique and strong password for every email, social media and online banking account is exhausting.

And then you've got to remember them!

So it's not surprising that smartphone makers like Apple and Samsung have come up with unique, biometric ways to unlock your phone and some of your apps, like your fingerprint or the shape of your face. Then you don't have to remember anything. (Unless your finger is wet or dirty, of course).

What if you could do that on the web as a whole? But how? Most computers don't have fingerprint scanners or the ability to capture a 3D scan of your cheekbones. And websites can't interpret that information, either.

Hence, passwords. Or perhaps their even goofier cousin, challenge questions.  Because it would be *so* hard to find out what someone's mother's maiden name is.

That's all that often lies between our personal and financial data and some hacker trying to access it. Because we transmit a password to the web, and the web server matches that password against a database it stores, that password can, and often is, intercepted.

Enter the FIDO Alliance. It has nothing to do with the Canadian phone company; it's actually a group of people from companies like Google, Microsoft, Mozilla and Intel—along with dozens more—that have been working a new form of authentication. If it comes into general use, we can ditch passwords forever.

"If we're going to get the industry off of the dependency on passwords, which is widely exploited and very expensive for everyone, we have to move to a totally new system," said Brett McDowell, the executive director of the FIDO Alliance. They're charged with designing and maintaining standards for internet encryption and authentication.
Brett McDowell, Executive Director of the FIDO Alliance (LinkedIn)

In the new FIDO standard, no passwords would be transmitted: your phone, or a usb dongle, or some other personal device would unlock the account, and essentially tell the website that it's safe to allow access.

This is done with a security key that is activated when you press the fingerprint scanner on your phone, touch a sensor on a USB stick, or scan your face in the way the latest iPhone does. It means you don't have to remember anything, and that there is no confidential information being sent that could be intercepted, McDowell said.

We have to move to a totally new system.- Brett McDowell

So imagine logging into your email account just by pushing a button on a USB stick you carry with you. You plug the USB—the security key—into the computer and unlock your email.

No remembering passwords, secret questions, or even getting a text message with a one-time code to type in. You access your account without tapping a single square on the keyboard.

Of course, having this kind of protection will be easier, and far quicker -- unless you lose your phone or security key USB dongle.

McDowell acknowledges this is a risk, but from a security standpoint, it's far less of a problem that transmitting passwords over the internet. And with the Internet of Things, it will be possible to use everything from your smartphone to your smart toaster to activate the security key. "If you have to steal my computer, or you have to steal my phone, to steal my security key in order to attack my account, that's a really good position to be in."

In any case, passwords are not going to vanish overnight. McDowell said there will certainly be a period where both passwords and biometric security keys are both in use.

"We're not going to turn off the old authentication mechanisms right away."




 

Comments

To encourage thoughtful and respectful conversations, first and last names will appear with each submission to CBC/Radio-Canada's online communities (except in children and youth-oriented communities). Pseudonyms will no longer be permitted.

By submitting a comment, you accept that CBC has the right to reproduce and publish that comment in whole or in part, in any manner CBC chooses. Please note that CBC does not endorse the opinions expressed in comments. Comments on this story are moderated according to our Submission Guidelines. Comments are welcome while open. We reserve the right to close comments at any time.