....it's the way passwords currently work that needs to change.
There's so much talk about getting rid of passwords, like this (very good) article by George Avetisov, and how everything has to be ‘frictionless’.
Of course, inconvenience and bad user experience leads to bad security practice, but what would a ‘password-less’ world actually be like? It’s certainly not a world I’d enjoy and here’s why…
There’s no doubt the way we currently use passwords, the something you know or ‘knowledge factor’, is broken.
However, imagine for a moment a world without something you know but no one else does.
Something you are, have or know are the foundation of authentication security: the ‘inherence’ factor (biometrics), the possession factor (tokens, phones or other physical devices) and the knowledge factor (passwords, PINs, photos etc).
Two Factor Authentication (2FA) or Three Factor Authentication (3FA) always combine each type of factor, not 2 passwords or 3 biometrics etc. And there’s a very good reason for this that all of us really need to understand for our own self-protection in the coming years.
Each type of authentication factor provides different types of protection to the person being authenticated and/or the service or system that person is authenticating to.
For example, I can choose to give my password or smartphone to someone else if I want them to log in for me for some reason. Much harder to do this with biometrics of course, so biometrics can provide a different type of protection... for the service I’m trying to access.
But what about self-protection of ME? Imagine if this ‘Utopia’ of a password-less world actually happens. How well protected will I be? And will I be able to protect myself OR will I be entirely dependent on someone else protecting me? (Hint: I’m not too keen on that second scenario!)
Sure, biometrics are great at ‘identifying’ someone – with or without their knowledge or consent. In fact, they can be invaluable (e.g. facial biometrics identifying a terrorist in a crowd at an airport). And they are certainly more ‘frictionless’, for quick authentication compared to entering a password or PIN. But if (when!) there’s a problem, it’s not easy to simply change your fingerprints or retina (and yes, modern biometrics attempt to mitigate this, but please read on).
Physical devices can be a very strong authentication factor – but they don’t actually enable ME to prove I did, or crucially, did not do something. They just prove that someone (me, a hacker, a thief, a law enforcement officer etc) had possession of that device.
It’s the knowledge factor that proves it was me – and crucially, in a way that puts and keeps me in control.
I can change my password or PIN anytime I like and as real-time biometric identification systems blanket the world in the next few years, the knowledge factor will be essential for self-protection against errors or misuse of these biometric systems.
And let's face it, we all know deep down this is going to happen!
The problem, therefore, is actually the way in which the knowledge factor currently works because:
- You actually have to tell someone your password (by entering it or speaking it over the phone) to prove you know it, which enables that person to impersonate you
- The password you submit is transmitted and compared to the encrypted (or not!) version stored in a database, which considerably increases the risk of theft and reuse by employees of the service or system you’re authenticating to.
The answer therefore, is not to get rid of the knowledge factor altogether. It can be our greatest protection! The answer is to correct the way passwords are currently used. We need a Zero Knowledge Password Proof approach where I never tell anyone or anything what my password or PIN is, and it’s never stored anywhere either except in my own memory!
Then the knowledge factor can be the perfect complement to something we have and/or something we are for genuinely strong 2FA or 3FA to provide us all with something we must hold onto: self-protection.