How is it that username-password security continues to cheat death – even when 60 percent of internet thinks its “cumbersome” and 77 percent want a better way to authenticate?
These are findings from a new Accenture report, which takes aim at the humble password and – once again – predicts its impending doom.
“The widespread practice of typing usernames and passwords to log on to the internet might soon become obsolete,” Accenture’s Internet and Social managing director Robin Murdoch said.
“Consumers are increasingly frustrated with these traditional methods because they are becoming less reliable for protecting their personal data such as email addresses, mobile phone numbers and purchasing history.”
Accenture is not the first to wish the death penalty on the password for its perceived insecurity sins.
But security researchers like Steve Wilson, principal analyst at Constellation Research, aren’t buying these latest death threats.
“People will say the password has been cheating death but that assumes the premise of the question that passwords were ever going to die,” Wilson told Information Age.
“I was at a cloud identity summit in 2013 and every other presentation was on the death of the password, but I looked around an audience of 600 identity specialists all on laptops and mobile phones, and every single one of them was using a password to log onto their device.
“Whenever somebody writes 'the password must die', I ask them the machine they wrote that blog on - how did they log onto their blog site? There's a level of hypocrisy, of overhyping.”
Accenture’s survey attempts to sound out respondents – of which there were 24,000 globally – on perceived secure alternatives to the password.
Just under 60 percent of respondents say they’d like to authenticate via a “uniquely-coded chip” embedded in their phone or computer, or by using some form of biometric identifier.
However, Wilson notes that biometrics can’t replace passwords.
“In practice most consumer biometrics don't actually replace the password as such. It reduces your reliance on passwords,” he said.
“They push passwords aside but especially for low-velocity biometrics which you're not going to use all the time, through ageing or sensor damage or whatever, you're always going to get false negatives in a biometric where the sensors are not working.
“You absolutely need a password [backup] in those cases.”
Apple’s Touch ID fingerprint sensor on newer iOS devices is a case in point.
“Anybody who uses Touch ID knows that you need to have a four-digit backup password,” he said.
“In my case I use it almost every day. I probably turn on my phone 40-50 times a day and 45 times I use the fingerprint, but 3 of 4 times I need to use the passcode because for one reason or another it's not sensing my fingerprint at that instant.”
Because biometrics and passwords were likely to coexist, Wilson urged caution when it came to pushing for more widespread takeup of biometrics.
“The widespread adoption of biometrics need to be treated with caution because your backup, your fallback mechanism is always going to be the point of attack,” he said.
However, there are a number of initiatives underway to produce authentication methods that would lessen reliance on the password.
Wilson cites Yubikey – a USB device that uses an open authentication standard hosted by the FIDO (Fast IDentity Online) Alliance. (Time Magazine and the Center for Democracy and Technology have previously predicted the password’s death at the hands of FIDO).
Microsoft is proposing password-less login to its Windows 10 operating system using a biometric system called Hello, which takes face, fingerprint or eye as identifiers. However, it is unknown whether it will use passwords as a backup or override login mechanism.
More futuristic, researchers in New York believe that analysing brainwave patterns could be a unique way to log into systems.