Authentication pushing password out to pasture

New forms and strategies for authentication changing the definition of logging on
Written by John Fontana, Contributor on

The dawn of the password's demise is being hastened by advancements in authentication.

Nymi wristband authenticator
The Nymi wristband is an authentication device that IDs the user by their heartbeat

With the Consumer Electronics Show as the latest piece of evidence, the term password, defined as entering characters into a computer, is on the verge of replacement by the concept of authentication, where identifying a user may involve multiple inputs such as biometrics or smart devices like wearable computers that know to whom they are attached.

It's a touch futurist, but recent bouts of spying and hacking are fostering a litany of questions from all angles about how to better protect data, resources and privacy.

Of course, the problem with passwords is they are easily guessed, they are routinely re-used across sites, and they are stored all over the Internet by vendors who of late have proven they aren't very good at protecting these secrets from hackers.

Authentication is taking on new forms and strategies beyond passwords. A technique known as continuous authentication not only improves the initial validation of the user, but it continues to do so during the time they are logged-in, and can provide additional authentication factors  during the course of the session. This method will call for a stronger initial authentication and perhaps multiple on-going authentications of varying strength.

"Authentication sounds like a yawn, right?" J.P. Gownder, vice president and principal analyst at Forrester Research wrote in his Forbes blog. But he says it shows business value, especially with wearables that can authenticate a user. "Imagine doing away with wallets, house keys, passwords, and toll-booth devices. If Wearables 1.0 was about creating technologies, Wearables 2.0 is all about crafting rich business models."

Wearable computer ideas at CES included Bionym with its Nymi wristband that touts a heartbeat authenticator for connecting the user to objects around them in an Internet of Things (IoT) scenario.

Devices introduced in 2013 pushed the authentication envelope like InteraXon's Muse, an electroencephalograph (EEG) headband that records brainwaves and could be used to think-and-authenticate, and a technology developed by researchers at the Department of Electrical Engineering at Taiwan’s National Chung Hsing University that uses ECG inputs to build encryption keys to protect data and images, and secure digital communication.

At CES, Vendors also stepped up with with devices designed to replace the password including Yubico with its YubiKey NEO, a device that authenticates a user when it is tapped against Near Field Communications (NFC) enabled mobile phones and tablets.

Yubico has teamed with Google and is working within the nearly 18-month-old Fast ID Online (FIDO) Alliance to foster integration of authentication with client devices and laptop computers. FIDO was started by PayPal, Lenovo and Nok Nok Labs among others, and has been joined by Google, Microsoft, Discover Card and MasterCard.

Synaptics, introduced a new fingerprint sensor division, and Myris showed off its EyeLock device that authenticates a user by recording 240 points on a human iris. Both are working within FIDO.

Apple went full-tile into authentication alternatives late last year with a patent award for facial recognition technology, a fingerprint reader on the iPhone5s and a $345 million acquisition of 3D-sensor company PrimeSense.

Of course, for any of these authentication devices and methods to succeed there has to be an end-user adoption revolution that historically biometrics and other authentication fobs have failed to ignite. And products must perform beyond the confines of deep-carpeted conference show floors and lab walls while combining fashion, convenience, and security.

The fitness wearable market might provide fuel in the consumer market, but it is too early to tell. Events like CES and the Wearable Computing Conference on Jan. 30th in New York City are stirring awareness. The question is whether wearables can hit mainstream within industrial, corporate or manufacturing scenarios. The IoT explosion also will push passive authentication, which will allow Things to talk to other Things.

All these technological advancements are poised to bring authentication options out into the open and try to tag the password as authentication's failed 1.0 implementation.

Editorial standards