Authentication pushing password out to pasture

Authentication pushing password out to pasture

Summary: New forms and strategies for authentication changing the definition of logging on


The dawn of the password's demise is being hastened by advancements in authentication.

Nymi wristband authenticator
The Nymi wristband is an authentication device that IDs the user by their heartbeat

With the Consumer Electronics Show as the latest piece of evidence, the term password, defined as entering characters into a computer, is on the verge of replacement by the concept of authentication, where identifying a user may involve multiple inputs such as biometrics or smart devices like wearable computers that know to whom they are attached.

It's a touch futurist, but recent bouts of spying and hacking are fostering a litany of questions from all angles about how to better protect data, resources and privacy.

Of course, the problem with passwords is they are easily guessed, they are routinely re-used across sites, and they are stored all over the Internet by vendors who of late have proven they aren't very good at protecting these secrets from hackers.

Authentication is taking on new forms and strategies beyond passwords. A technique known as continuous authentication not only improves the initial validation of the user, but it continues to do so during the time they are logged-in, and can provide additional authentication factors  during the course of the session. This method will call for a stronger initial authentication and perhaps multiple on-going authentications of varying strength.

"Authentication sounds like a yawn, right?" J.P. Gownder, vice president and principal analyst at Forrester Research wrote in his Forbes blog. But he says it shows business value, especially with wearables that can authenticate a user. "Imagine doing away with wallets, house keys, passwords, and toll-booth devices. If Wearables 1.0 was about creating technologies, Wearables 2.0 is all about crafting rich business models."

Wearable computer ideas at CES included Bionym with its Nymi wristband that touts a heartbeat authenticator for connecting the user to objects around them in an Internet of Things (IoT) scenario.

Devices introduced in 2013 pushed the authentication envelope like InteraXon's Muse, an electroencephalograph (EEG) headband that records brainwaves and could be used to think-and-authenticate, and a technology developed by researchers at the Department of Electrical Engineering at Taiwan’s National Chung Hsing University that uses ECG inputs to build encryption keys to protect data and images, and secure digital communication.

At CES, Vendors also stepped up with with devices designed to replace the password including Yubico with its YubiKey NEO, a device that authenticates a user when it is tapped against Near Field Communications (NFC) enabled mobile phones and tablets.

Yubico has teamed with Google and is working within the nearly 18-month-old Fast ID Online (FIDO) Alliance to foster integration of authentication with client devices and laptop computers. FIDO was started by PayPal, Lenovo and Nok Nok Labs among others, and has been joined by Google, Microsoft, Discover Card and MasterCard.

Synaptics, introduced a new fingerprint sensor division, and Myris showed off its EyeLock device that authenticates a user by recording 240 points on a human iris. Both are working within FIDO.

Apple went full-tile into authentication alternatives late last year with a patent award for facial recognition technology, a fingerprint reader on the iPhone5s and a $345 million acquisition of 3D-sensor company PrimeSense.

Of course, for any of these authentication devices and methods to succeed there has to be an end-user adoption revolution that historically biometrics and other authentication fobs have failed to ignite. And products must perform beyond the confines of deep-carpeted conference show floors and lab walls while combining fashion, convenience, and security.

The fitness wearable market might provide fuel in the consumer market, but it is too early to tell. Events like CES and the Wearable Computing Conference on Jan. 30th in New York City are stirring awareness. The question is whether wearables can hit mainstream within industrial, corporate or manufacturing scenarios. The IoT explosion also will push passive authentication, which will allow Things to talk to other Things.

All these technological advancements are poised to bring authentication options out into the open and try to tag the password as authentication's failed 1.0 implementation.

Topics: Security, Next Generation Networks, IT Security in the Snowden Era


John Fontana is a journalist focusing on authentication, identity, privacy and security issues. Currently, he is the Identity Evangelist for strong authentication vendor Yubico, where he also blogs about industry issues and standards work, including the FIDO Alliance.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • The problem with all of the "new" methods is that

    1. they are clunky and hard to implement.
    2. severely vulnerable to theft (as all devices are).
    3. biometrics don't work (any sufficiently high resolution reproduction will work)

    The problem with continuous authentication is that it requires user tracking... And if you thought it was hard to have anonymous use, that completely kills it. You have to be tracked EVERYWHERE for it to work.

    It is also a problem... with false negatives - sprain a thumb, get a paper cut,... and your activity changes - causing a failure.
    • And...

      Yeah. The issue I also worry about is that fact that biometrics are essentially constant (notwithstanding your perfectly true points about sprained thumbs and whatnot). Once you've stolen someone's vein patterns or prints or whatever, which will just get easier and easier to do -- well, then that opens up a lot of attacks. Sure, that info can be convolved with some private key -- but then we're just back to passwords at that point...
    • @jessepollard .. i agree, for the most part

      I'm actually surprised Fontana didn't use the acronym: MFA even once. And since the whole article is essentially discussing the merits of "MFA" (which for the uninitiated, stands for Multi-Factor Authentication), seems a little odd.

      But i digress. On point, MFA may have the odd setback, as you allude to (with reference to a thumb being scarred, that will render a thumbprint scan useless), but for enterprises, MFA seems to be one of the only viable options left for long term, security of corporate / enterprise systems.

      I mean, you really can't be that flippant about how important securing systems in a world where corporate espionage is a killer. MFA is possibly the only real, viable solution to anything else even remotely foreseeable.

      All told, it's one thing for you to criticize MFA, but unless you have better ideas, i hate to use cliches ... but if you're not part of the solution, you're really just part of the problem.

      So what do you suggest as alternative to MFA, wiseguy?
    • @jessepollard .. I subscribe to every clause

      "biometrics don't work" especially.
      +too weird for real life.
    • Biometrics...

      are usernames, not passwords.

      Personally, I like the look of Steve Gibson's SQRL authentication, it is simple, easy to implement and open - i.e. completely free to implement. And if your authentication information for one site is stolen, it can only ever affect that one site.
  • Another "niver gonna happen" that we've been hearing for years...

    Like the death of Windows, the PC and Abe Vigoda, this nonsense keeps popping up every year or so.

    Eight years ago, we were all going to biometrics, but it simply didn't pan out. HP built readers into their laptops, only to find that they frustrated users to the point of madness.

    There have been pucks, retinal scanners and credential-drives... but not one has made significant inroads into the consumer market.
  • Getting everybody to agree on a standard is a problem.

    Getting everybody to agree on a standard is a problem.

    Various forms of authentication has been around for a long time. But getting everybody to use one of them - a problem.

    And it should be noted that "authentication" is actually a broad term, and the classical username/password combination is one form of authentication.

    "The fitness wearable market might provide fuel in the consumer market, but it is too early to tell. "

    IMO for fitness wearables to be a success *even* as fitness wearables - the price really needs to go down. Right now, they seem to be a pretty niche product only aimed at fitness buffs.

    I do want passwords to go away - they're a big blight on the state of security right now. An alternative is sorely needed.

    However, with nobody agreeing on a standard, and with wearables being expensive, I don't see it happening this year.

    I'd give a thumbs down to continuous authentication - too big of a privacy issue. Authentication is fine, but not continuously, please.
  • I hate these way to early predictions.

    Its sickening. Its tiresome. Its boring.

    To many tech writers at ZDNet are way to quick with the predictions. Look at this headline:

    "Authentication pushing password out to pasture"

    That's what you write when its a "fait accompli", when your seeing about 60% plus new phones with authentication as opposed to password use and plenty more on the way. Nothings out to pasture or even looking at the pasture yet when its still the predominantly overwhelming mode of operation with no new wave on the horizon heading toward you.

    When you see these silly predictions, it feels way to much like the writer didn't know what to write about today, so he or she just looked through the web to see what recent discussions have brought up in the last year in the world of IT and write an article about it and put a title on it to imply that the new wave has crested and its about to hit shore....even when nothing like that has happened or is about to happen.

    You can make up all sorts of ludicrous headlines that way and sometimes they are so inspiring its bound to be major click bait.

    Because in the IT world there are plenty of hating loonies to go around for enough hate for everything ever invented and anyone to do with the invention, no matter how popular over all, there is always something you can predict is going to die.

    Lets do all the negative and predictive headlines at once, get it over with and move on with some real and interesting stuff.

    Lets go:

    Steve Jobs was a monster, Steve Ballmer is an idiot, Bill Gates is a greed monger, Mark Zuckerburg is a spiteful conniver, Eric Schmidt wants to rule the world, Linus Torvalds is missing in action, Intel is finished, NVIDIA has lost their way, AMD is passé, Facebook is so last year, Apple has no rudder, Microsoft is dead meat, Google will be shredded by the government, Samsung will implode, ARM processors have lost the war, IBM is grasping at straws, Macs are through, Windows is history, Android is a sieve, iPhones are boring, tablets make good but over priced shingles, I love you, you love me, we all hate everything.

    The end.
    • You forgot gaming!

      And consoles, gaming well as Mindows Phone (unless that's included in Microsoft being "dead meat"...oh, and the bi-monthly revelations of Snowden's NSA leaks!
  • NYMI device as password replacement...

    The NYMI device IS a great, possible password replacement. I've actually had three doctors verify that the process that Bionym uses as their validation process, is truly unique and valid. BUT, since Bionym does NOT interface with the Apple front end that accesses the 4-digit user access code in the IOS world, it's of NO VALUE as a password/unlock code replacement in the that world.... Leaves a LOT of market un-touched and un-available....
  • As regards authentication process for mobile devices

    I prefer good old approach, but with more usability - such as 1Lay security token.

    Have you ever replaced your late model car key? Then you know its HIGH COST.
    It will be even worse with wearable security. So who's gonna buy it?
    ONLY the rich few.
  • the CEO at a company rejected all of these for himself

    Though he thought it was ok for others... none of the execs got on board either. The only division to implement anything abandoned it after a year due to all the realities and administrative burden. Even though they lied all year about how great it was going after the year end review it was tossed like a hot potato.

    The year of the death of passwords will be like the year of desktop Linux and the year of the Unicorn.
    • ....the CEO at a company rejected all of these for himself

      @greywolf - Amen! There are two things wrong with passwords: users and websites.

      Users:Get a password manager like Roboform or LastPass & generate random passwords. Web sites: I've come across a few that only alllow 8 character passwords. Instead, if websites enforced strong password length (minimum 16, preferably 32) with inclusion of special characters, these discussions wouldn't even be necessary.

      People are just too lazy to use appropriate passwords. They would rather blame someone else when there data is stolen and hacked.
  • It's never going to end.

    Offense vs. defense is a struggle as old as conflict itself. Tanks gave rise to bazookas, which gave rise to heavier armor on tanks, which gave rise to bigger bazookas, etc., ad infinitum.

    As security people figure out new forms of authentication, malicious hackers figure out ways around them. No authentication will ever be foolproof and no hacker will ever be able to hack into everything, as the constant spiral of authentication and hacker technologies winds ever onwards.

    And while businesses that wish to be proactive can easily adopt new defenses, casual home users are much slower to respond, due to the cost of hardware implementing the new authentication methods.

    I like the idea of two-factor, but I have no other need of a smartphone and I won't buy one just for that. Plus, I travel places that have internet but no cell service, so anything that works by sending a text message to a cell phone would leave me unable to authenticate during travel. I like the idea of a USB dongle for authentication, if it's cheap enough, but that can be stolen. (As can a cell phone used for 2-factor.)

    Nobody is going to guess my passwords because I don't use plain words. But if they hack into my bank and get my password that way, then they could get any biometric data or dongle data used for authentication the same way.

    But something that would go a long way toward improving security would be to redesign email protocols to make it impossible to spoof emails, since so many people fall victim to phishing emails that seem to come from their bank. Maybe it's impossible to make emails spoof-proof. But charging a nickel for every email sent would go a long ways toward reducing or eliminating spam, since effective spamming relies on sending out massive numbers of emails. I'd gladly pay a nickel each for emails I send as well as "free" email newsletters I choose to subscribe to, in order to cut the amount of spam I receive by 99%, or even 90%.