Why passwords won't die next year (or the years after that)
$8.65 billion.
That is the estimated cost it will take to convert the current U.S. credit card system to EMV chip-and-pin -- roughly $27 per U.S. citizen.
What does that have to do with passwords? Killing the password won't come without its own hefty price tag for corporate and cloud service providers -- back-end/front-end technology replacements/transitions, integration, maintenance, end-user training and support costs.
In the EMV world the costs are wrapped up in new point-of-sale (POS) terminals, ATM card-reader upgrades, and issuing new cards.
With authentication, the other important factor is liability, who pays when things go wrong, a question the credit card industry is answering next year.
These are transitions that take years not months.
Cloud providers like Google and Yahoo bristle at the potential support costs and user angst that would come if passwords were to die -- it's the virtual entry point to their services. The bigger the service, the greater the costs.
Corporations have millions of dollars sunk in identity and access management infrastructure. In many cases, authentication changes will be grafted onto technology such as single sign-on, which still requires a password.
Innovation won't seek to kill passwords, only contain them within a broader equation around authentication type plus value of resource. (i.e. you'll face more authentication challenges on your bank access than your Flickr account).
For authentication changes, liability is the true sticking point just as it has been with EMV.
The reason merchants haven't plunged into card changes that are projected to reduce fraud by up to 40% is because merchants aren't on the hook for fraud.
So why the EMV conversion?
On October 2015 a shift in liability will go into effect and for the first time merchants who do not have EMV-enabled POS readers will be liable for fraud and not Visa, MasterCard, Discover, American Express and their banking partners.
The stat that broke that camel's back was $7.1 billion in fraud in 2013, a 29% increase over 2012.
A billion anything is a powerful motivator.
On the password side, the incentive to move to more sophisticated authentication options is in play. How the Targets, Sonys and lawyers of the world resolve breach issues will factor prominently in strong authentication options for the masses.
One major prediction I made in January is that the discussion around passwords will semantically shift to authentication. Access control will be defined by specific or combined forms of authentication applied at specific times to specific classes of devices, access and transactions.
We're talking everything from security questions to capchas, passwords, biometrics, tokens, gestures, behaviors, and other innovations. Passwords will become authentication's failed 1.0 implementation.
Risk mitigation will define use cases, and liability will be off-loaded whether to a single identity and access management cloud provider or across a number of services.
Privacy concerns also will influence these decisions, especially around techniques such as continuous authentication, which raises the tracking flag.
Passwords will be used to signal that you would like to access a service, much like lining up in front of a popular nightclub. But it will take another authentication credential (a government-issued ID in the night club example) or more to gain access authorization.
There will be a range of credential options to ensure a "level of assurance" to "grade" authentication, such as in-person verification for Level of Assurance 4 credentials.
I know of one U.S. military installation that uses a neutral "pod" (accessed with a PIV card) that sits between two rooms. The pod has a built-in scale to check the persons weight (against a database; plus or minus five pounds margin of error) followed by an iris scanner authentication. All this happens after the door to the pod is shut and before the door opens to the next room.
So don't look (or wait) for passwords to die, look at authentication as a whole, as a layer to be architected or inserted via a service provider. Think about use cases and combinations of authenticators.
Things at first may look a little more complex (especially as authentication is integrated with other risk-based tools/strategies), but innovation should eventually put most of that complexity in the background.
It's going to be a process. But given recent events, the alternative looks much worse and the costs much higher.