Recently I frequently met discussions about passwordless authentication: is this myth finally becoming reality? It is at least 20 years that we have been discussing and announcing the demise of passwords.
Passwords can be substituted by biometrics, but also hardware tokens (eg. security keys), smartphones etc. together with authenticator apps, single-sign-on, identity federation and so on.
Is this enough to get rid of passwords?
Well, passwords are very cheap to manage and very scalable, well known, used and abused, possible to forget but not to break down or to be physically lost or stolen. And most systems will still use passwords / PIN codes as backup.
Already today access to most personal devices (smartphones, tablets, portables etc.) is passwordless, usually by biometrics, with password as backup. But this is very local to each personal device and it seems difficult to scale it up to all systems and applications.
So where do we really stand on the way to “passwordlessness”? How and when will we get there?
A couple of interesting news on authentication and passwords:
- Telepathwords is a (Microsoft Research) website which tests passwords you digit into it, to verify their strength by checking how likely the next character in the password is to appear in common words and password checking tools; at first sight the idea seems nice, but I wonder to the usefulness of writing your passwords in a public website: obviously any password tested in the website cannot be used, so this should be taken only as an exercise to learn how to create good passwords (moreover, I tested it with pseudo-random generated password and the results were not completely clear to me)
- “Nymi Is A Heartwave-Sensing Wristband That Wants To Replace All Your Passwords & Keys”: it is a wristband that measures your unique (but I have no idea how much “unique” that it is) heartwave and, via bluetooth, authenticates you to any (capable) device; it is the first time I hear of this kind of biometrics and I suspect that it shares with all other biometrics authentication approaches, good and bad points.