​We're killing off passwords. But are we ready for what will replace them?

Getting rid of passwords is a good idea, but we need to think through the consequences of the most likely replacement, too.
Written by Steve Ranger, Global News Director

Tech security people hate passwords because resetting forgotten passwords is the most tedious job in the world, and also they know everybody else is terrible at password security anyway.

The rest of us don't like passwords much either, mainly because the security people won't let us use our old favourites like 1234 or pa55w0rd. And we don't like having to remember complicated passwords, so we write them down on a piece of paper, and then lose it. And then we have to go and ask nicely for tech to reset the password. Again.

Nobody likes passwords. Apart from the hackers who find them, steal them or crack them with ease, that is. That's because passwords are still the keys to the kingdom in many cases; once a crook has them, there is often little else to stop them doing what they want.

Insecure, annoying, expensive -- passwords would have been got rid of long ago except that the fundamental concept is easy to implement and easy to understand. But the end of the password is finally coming into view.

Most applications now offer some kind of two-factor authentication. The idea is that something you know, like a password, plus something you have, like a code generated by an authentication app on your smartphone (or, less securely, from a text message sent by an app), is better than a password alone. That's a positive step which should help reduce the most basic (though highly effective) security breaches which often start with people being tricked out of their passwords by phishing emails.

SEE: 10 ways to raise your users' cybersecurity IQ (free PDF)

So what about the next step? Here smartphones are well ahead of the PC world, by using biometrics -- fingerprints and facial recognition -- as the standard way to log on. Something you have is replaced with something you are.

Tapping a digit on a fingerprint reader is much quicker than typing in a passcode, and raising a phone to your face to look at the screen, which also unlocks the device, is a totally natural motion. Expect this to be the way you access your PC and other devices in the future, too.

Microsoft has already outlined how it plans to kill off passwords in Windows 10 using a combination of multi-factor authentication and biometrics via Windows Hello, a service it says is being used by more than 47 million people.

Earlier this year one UK bank said it was planning to trial allowing customers to access their accounts using their face or fingerprints using Windows Hello, and just this month the National Cyber Security Center, the UK's cyber security agency, updated its guidance to say that government organisations should use Windows Hello for Business as part of their Windows 10 deployments.

All of this is good from a security point of view no doubt, and the use of the technology has been sensible, with biometrics being stored securely and locally. Fears about biometrics being stolen are probably a bit overhyped but there is a genuine risk that large databases of biometrics could pose a serious security risk.

But I'm also wondering whether there will a backlash at some point from users who are uncomfortable with making their physical bodies part of the authentication process.

SEE: Cybersecurity in an IoT and mobile world (ZDNet special report) | Download the report as a PDF (TechRepublic)

I already feel a little nervous staring at my smartphone and hoping that it will recognise my face. Perhaps that's because I'm not sure what it means if my phone decides I am not me, and the slightly queasy doubt it surfaces: who gets to choose who I am?

There is also a danger that we risk making biometrics like our face or our fingerprints a standard form of identity without thinking about the consequences. Currently, few would be willing to see face or fingerprint become the standard way of accessing government services, for example. And those aren't the only biometrics we could use; what about your iris or your heart beat or your voice or your DNA? What does it mean to swap something private, like a passport, for something public, like your face?

For example in the US you can't be forced to hand over a passcode for your smartphone because that's considered self-incrimination but you could be asked to unlock you phone with a fingerprint or by looking at it. Where do we draw these lines?

Before we make the move to biometrics and wave passwords goodbye we need to have some good answers to these tough questions. Increasing security is good, but understanding the consequences is important, too.

ZDNet's Monday Morning Opener

The Monday Morning Opener is our opening salvo for the week in tech. Since we run a global site, this editorial publishes on Monday at 8:00am AEST in Sydney, Australia, which is 6:00pm Eastern Time on Sunday in the US. It is written by a member of ZDNet's global editorial board, which is comprised of our lead editors across Asia, Australia, Europe, and North America.

Previously on Monday Morning Opener:

Editorial standards