Just when hope and Mat Honan had the password a few nails short of a closed coffin, we get this word from Eve Maler, who has an impressive resume as a big thinker in the identity community and is now at Forrester Research: "I don't buy the whole 'the era of passwords is over' thing."
Since I know Maler to be fair, level-headed, and thorough, it’s worth stopping to listen.
"I can't see a future where static shared secrets don't form a part of authentication strategy," she told me. "It's a rare multi-factor authentication strategy that doesn't include a password or PIN somewhere along the line as one of the 'things you know,' " she said in her latest blog.
It's not that Maler is willing to settle for what is proving to be a vulnerable computing legacy incapable of standing up to current hacker tools. Or that she thinks the decade-long popularity of 12345 proves its worth as a secure password.
It's because she realizes that passwords, which currently live in a pitch-fork-and-torch world, do have some very appealing qualities that have nothing to do with getting hacked.
She wrote in her blog: "Passwords are too useful to go away entirely, both because it's handy to be able to synchronize authenticator data between cooperating systems (and people), and because people find using passwords to be less invasive, fiddly, or personally identifying than a lot of other options."
The fact that "invasive" and "personally identifying" are important concepts in the privacy community lends credence to Maler's argument.
Maler says IT has gotten away from authentication common sense, and that she welcomes this growing discussion around passwords because it fosters new ideas for IT to explore.
"If you look at passwords broadly, make sure you are not depending on them further than you can throw them," she said. "Or if you do depend on them, start to build in ways to routinely rotate them and make sure the rules you have for their 'un-guessability' and 'uncrackability' makes sense [for end-users]."
Maler is starting to hear that companies that have deployed two-factor authentication are beginning to take long looks at adding a federation project to the mix.
"We'll probably see more federation as a result of relying on passwords less and moving to additional things in the authentication chain. Not necessarily replacing passwords, but adding to them," she said.
Back to level-headed and thorough, Maler isn't just telling the world to "buck up."
She's put out three suggestions to start 2013 and perhaps it will become a sort of support-group meme until log-ins (authentication) and access control (authorization) can get to a better place.
Here are her suggestions (if you want the full explanation, visit her blog):
- Don't depend on passwords alone for sensitive operations. Leverage risk-based authentication to put multiple authentication factors into play in a way that inconveniences your users as little as possible.
- Stop forcing users to thread the needle of your password policies. Password policies are well intentioned, but often misguided.
- Consider "push" models for refreshing user passwords. People really, really hate changing passwords. That's because we've put the onus on them to do all the work.