Menu Search
Jump to the content X X
Smashing Conf Barcelona

You know, we use ad-blockers as well. We gotta keep those servers running though. Did you know that we publish useful books and run friendly conferences — crafted for pros like yourself? E.g. our upcoming SmashingConf Barcelona, dedicated to smart front-end techniques and design patterns.

The Current State Of Authentication: We Have A Password Problem

We have a lot of passwords to remember, and it’s becoming a problem. Authentication is clearly important, but there are many ways to reliably authenticate users – not just passwords. Passwords are written off as inconvenient and unavoidable, but even if true a few years ago, that’s not true today. Due to a combination of sensors, encryption and seasoned technology users, authentication is taking on new (and exciting) forms.

Most other interaction patterns have been updated over time, but no one wants to mess with password authentication. It’s too serious. Or there’s too much liability. You know, like if you don’t clear the password input after someone types the wrong password, their credit card information is at risk.

Further Reading on SmashingMag: Link

I’m here to tell you it’s OK to rethink common password habits, and it’s acceptable to use common sense and due diligence to create usable, secure and error-free authentication – passwords or otherwise.

The Root Of The Problem Link

Password authentication doesn’t scale well. The more services we use, the more passwords we’re forced to remember. In the name of security, SaaS applications, social networks and other services enforce strict password rules that prevent honest people from signing in. Username/password authentication is apparently so effective that it’s a serious barrier to product and service use.

It’s not the passwords themselves; the problem is the scale at which people have to manage and remember usernames and passwords. It’s too much.

We don’t want to make our products less secure by relaxing our password standards, so what are our real options to safely and securely authenticate people and protect their sensitive information? There are a handful of ways today, and there are more coming. There are even things we can do to make traditional password authentication frictionless and user-friendly. Here are the options we realistically have today.

  • Traditional username/password
  • Passphrase
  • Two-factor
  • Social sign-in
  • Passwordless
  • Biometric
  • Connected device

I’ll rate each method based on a few key factors:

  • Implementation: how easy it is to set up and support
  • Security: how hard it is for the wrong person to authenticate
  • Usability: how easy it is for the right person to authenticate

In the spirit of rethinking obsolete password patterns, I’ll rate them in password strength meter terms (that is, vague descriptors with no stated reasoning).

Traditional Username/Password Link

Implementation strong
Security weak
Usability weak

I’ll be honest. I have issues with the traditional username and password model. In a perfect world, I’d eliminate passwords altogether. However, in the real world, I use this method on 99% of the projects I work on.

Why? It’s important to remember that username/password authentication is the most understood authentication pattern, and it will feel the most trustworthy for a lot of people. There is a lot we can do better from a usability perspective, though. We can make it easier to create and recall passwords, and we can make signing in faster and less confusing.

Password recollection is mainly why I rated both security and usability as weak. It’s hard to create a secure password in the first place, and it’s hard to remember and use passwords after we’ve created them. Because of that, people create passwords that are too easy to guess, and then security is compromised. Ironically, the more security we impose, the less secure password authentication becomes.

Our industry needs to embrace a modern password authentication pattern. Mostly, we need think realistically about security and what best practices should be today. We can take advantage of technologies that didn’t exist when password patterns were formed, so we should do so in the name of user experience. By throwing away password security assumptions and building new ideas based on real data and modern use cases, there are many obvious improvements we can make to traditional password authentication. Here are just a few.

Limit or Eliminate Password Rules Link

A capital letter, lowercase letter, a number, and a symbol force people to create service-specific passwords.

GoDaddy’s website6
GoDaddy’s website. (View large version7)

In the US and UK, 73% of adults use the same password for everything8. If that password doesn’t fit your service’s password rules, the account holder makes a unique password that they’ll promptly forget. Eliminating password rules will instantly increase password recollection and improve usability.

Why do we impose complex password rules in the first place? There are studies that show a long passphrase is more effective than a password with different types of characters, but I’ll get into passphrases later in the article.

Use Password Rule Reminders Link

If you must use password rules, remind the user of your specific rules when they enter an incorrect password. If you require a capital letter and a symbol, the person signing in should know that as they try to remember their password. This is insanely helpful for users who have to remember a million passwords, and it’s only mildly less secure: a hacker can get the password rules by creating their own account.

BrowserStack’s website9
BrowserStack’s website. (View large version10)

This faux security pattern has been killing me for years, because although I keep better track of my passwords than most, I still forget them! Adding these reminders to a sign-in form is an easy way to greatly improve usability and increase sign-in success rates.

Show Password Typing with the Option to Hide It Link

This is pretty common for mobile devices, but we should do it everywhere (yes, including desktops). If someone is on a screenshare or giving a demonstration, they can hide their typing before entering their password. They’re the minority. Everyone else should be given the respect of seeing what they’re typing as they type it. These tweets about Yahoo’s and Sprint’s successes with this pattern11 should be proof enough that we don’t need to mask passwords anymore.

Luke Wroblewski Password Hints12
Luke Wroblewski Password Hints. (View large version13)

Luke Wroblewski gives an excellent overview of the thinking behind showing passwords14 and different ways to implement this pattern. Everything he describes is based around the idea that masking passwords is an outdated practice.

Be Specific with Error Messages Link

Tell your customer whether their username isn’t found or their password is wrong. (This has privacy risks, but unauthorized parties can usually get this information in other ways, like attempting to sign up.) At the very least, tell them if they entered a username, but you expected an email. People have multiple email addresses, usernames and passwords. Help them narrow it down a little.

If security is such an issue that you can’t let people know they’re trying the wrong email address, consider two-factor authentication instead.

Passphrases Link

Implementation strong
Security good
Usability good

To take traditional username/password authentication a step further without introducing new use patterns or shaking up the status quo, consider passphrases instead of passwords. Passphrases are more secure than passwords, and they’re easier to remember. This has been written about for more than a decade (Passwords vs. Pass Phrases15 in 2005 through Why Passphrases Are More User-Friendly Than Passwords16 in 2015). The key that makes passphrases better for both security and usability is that people are much more likely to recall a phrase containing normal, human-readable words than a cryptic password. Therefore, we don’t need to write our passwords down, and we don’t need to use the same password for everything in order to remember it.

Simple’s website17
Simple’s website. (View large version18)

The widely held belief is that capitalization, numbers and special characters make automated password guessing harder, but it turns out it’s actually harder for a computer to guess a series of random (or seemingly random) words strung together to form one long phrase.

Need proof? Zxcvbn19 is a hackweek project from Dropbox that measures password strength. Other sites can use zxcvbn as an open source password strength meter, but Dropbox’s article on the project has some excellent stats and information about the true strength of different passwords. Read it for yourself, but essentially, “Tr0ub4dour&3” is much less secure than “correcthorsebatterystaple”. Test it out here.20

To use passphrases, we only need to suggest the passphrase idea to the user and eliminate password rules. People who want to use traditional passwords can do so if they please, but most people will try a phrase over a purposely unreadable password. It’s a good idea for usability either way.

Simple21, the design- and tech-friendly online banking company, was my first experience with passphrases, and they’re kind of delightful. My passphrase is simple to remember and simple to type – especially on a mobile phone.

Two-Factor Authentication Link

Implementation weak
Security strong
Usability good

Two-factor authentication (2FA) is another extension of traditional password authentication, but after a username/password combination is verified, a unique code or URL is either emailed or texted to the person trying to sign in. They get authenticated by proving they have the unique code. This verifies access across multiple services, and it also alerts the account holder of malicious attempts to access their account.

Google Inbox web app
Google Inbox web app.

Google provides an option for two-factor authentication in all (or almost all) of their services. In the case of Gmail or Inbox by Gmail, a unique code is texted. Other services send the code or link to an email address, which achieves the same goal.

Use two-factor authentication only where it makes sense – as you can imagine, 2FA can really annoy a person whose phone is upstairs or who’s not already signed into their email. If abused, 2FA is enough to make people abandon your service. Google handles authentication well. It uses a “trust this device for 30 days” feature. They also make 2FA an option and heavily encourage it, but they don’t force people to use it.

Another benefit of two-factor authentication is that we don’t need password rules because we’re not relying on the password as the only point of security. So, again, the password part can be more user-friendly than we’re used to.

Social Sign-In Link

Implementation strong
Security good
Usability strong

Social sign-in, or other third-party sign-in, is a popular and convenient way to authenticate. It’s not just for signing in, either. American Express has Amex Express Checkout22, where you sign in to your Amex account to securely pay for things on third-party sites. You’re authenticated, and you don’t have to send your credit card details to the merchant.

Medium’s website23
Medium’s website. (View large version24)

More commonly, though, social sign-in means signing in to a third-party service or app with Facebook, LinkedIn or Twitter. For a lot of services, this is a great way to authenticate. It’s convenient for the person signing in – if they have an account with the third-party service. For that reason, social sign-in always requires a fallback option.

Social sign-in also asks for permissions from the third party, which can be scary and deter users, and social sign-in doesn’t work behind firewalls that block the original site (like corporate offices).

Famously, MailChimp’s article from 2012 explains why MailChimp was (and apparently still is) against social sign-ins25. Its argument is that social sign-in creates too many options for a user right at the top of the funnel. Even with a single social sign-in option and a traditional fallback, a user needs to remember how they originally signed up to sign in.

I agree with MailChimp to an extent, but today social sign-in is much more understood and accepted, due in large part to how common it is now. It’s often a great way to reduce authentication friction. I’d personally still suggest only a single, relevant option for third-party sign-in, but if companies like Medium are any indication, having several can be fine.

Passwordless Authentication Link

Implementation weak
Security strong
Usability strong

Passwordless authentication is two-factor authentication without the first step. The person signing in only has to remember their username, email or phone number, and they receive a unique code to complete the sign-in. They never create or enter a password.

We can take passwordless authentication a step further by skipping the manually typed code. Using deep linking or a unique token in the URL, a link in an email or text can directly open and sign in to a service.

For security, codes or links expire soon after they’re sent or after they’re used. This is what makes passwordless authentication better than password authentication. Access is granted exactly when someone needs it and is restricted any other time, but there’s no password to keep track of.

Slack’s app26
Slack’s app. (View large version27)

Slack28 has a really good example of passwordless authentication. At different phases in the sign-in and password reset processes, it uses what they call a “magic link29” to authenticate users. A unique URL is sent to a person’s email, and that URL opens the Slack app and signs them in. Slack’s presentation of this interaction pattern is notable as well, because it brands the interaction as “magic” and makes it seem simple, secure and future-friendly. (Arguably, whoever coined “two-factor authentication” got the branding part wrong.)

Biometric Link

Implementation depends
Security excellent
Usability excellent

Biometric authentication – fingerprints, retina scans, facial recognition, voice recognition and more – is where I see authentication ultimately going. The most common example is Apple’s Touch ID30. This is the kind of thing that truly gets me excited. Biology is our true identity, and it’s always on us. We’re familiar with the idea of unlocking our phones or tablets with a fingerprint. However, biometric authentication is being used in other places (and with other biology) as well.

Windows Hello31
Windows Hello32. (View large version33)

Windows Hello34 is a forward-thinking authentication system for Windows 10 that pairs cameras and sensors (on both computers and devices) to recognize faces, irises or fingerprints. The idea is that someone should open their computer and get right to whatever they want to do without sacrificing security. This type of authentication was barely possible until recently, especially on a Windows 10 scale.

Biometric systems require hardware and sensors to work, but luckily our mobile phones contain sensors for all kinds of different things. Hello uses infrared in the camera to detect faces and eyes (in any lighting condition), but they use mobile phones or tablets for fingerprint scanning. If desktops and laptops had prioritized security and sensors a bit more, we may have moved on from passwords years ago. Mobile prioritized security from the beginning, and now other hardware will catch up.

Biometric is early in its development, but there are some APIs and libraries that allow us to use biometric authentication today. These include BioID Web Service35, KeyLemon36, Authentify37 and Windows Biometric Framework API38 (what Hello is built on, I assume).

Connected Device Authentication Link

Implementation depends
Security strong
Usability strong

Connected device authentication is a pre-established Bluetooth (or similar) connection from one device to another that has already authenticated someone. For instance, there’s an app for Mac OS X called KeyTouch39 that lets you sign in to your computer with your iPhone’s fingerprint scanner. There’s also Knock40, where you knock on your phone to unlock your computer. You can imagine the possibilities as we accumulate more and more connected devices, especially in the IoT space where personal and possibly sensitive devices will be running all the time. Connected device authentication might become very useful.

Tether’s iPhone app41
Tether’s iPhone app. (View large version42)

I use a Mac OS X + iOS app called Tether43 at my home office. After syncing your computer and phone once, the computer locks and unlocks based on the phone’s proximity to the computer. Tether has literally saved me hours of time. Typing my computer password, with capitals and numbers and a symbol, might take just three or four seconds, but doing it so many times each day, week, month, and so on… you get the idea. By the time I sit down in my chair, my computer is unlocked and opened up, thanks to connected device authentication.

Another example? Bluetooth car keys.

What Should We Do Now? Link

We ran a poll on Twitter44, and it seems that among the options mentioned above, the good ol’ login/pass verification is still the most acceptable (49%), followed by social sign-in (28%). But just like everything else, we need to do what’s right for our users. We can work to eliminate the password problem by reducing the amount of passwords our services and apps require, and we can introduce some of these newer methods of authentication wherever possible. If there’s any way to reduce friction in the sign-in process, it needs to be considered.

If I had my way, we’d be done with passwords altogether. I believe they held us back a little before, but they’re really getting in the way now. A password revolution is coming.

However, we need to remember that people want to feel secure while signing in, and they need to know that their information is secure. If we push authentication too far, our users won’t trust it. Therefore, we won’t eliminate all passwords tomorrow, although we can reduce their scale.

The best authentication, like the best interface, is completely invisible45. Therefore, the uncompromising goal should be to make authentication invisible. With that in mind, traditional password authentication – usability-enhanced or not – is not an option for very much longer. We can do better.

Hopefully we’ll see a day where authentication isn’t a roadblock, yet all of our information is secure. If you think about it, we’re not too far off. I predict the solution will be some form of biometric. Many others agree. Either way, if we keep pushing the envelope and investing in ultra frictionless, secure sign-in, the future state of authentication looks a lot brighter.

(da, vf, og, il)

Footnotes Link

  1. 1 https://www.smashingmagazine.com/2015/12/passphrases-more-user-friendly-passwords/
  2. 2 https://www.smashingmagazine.com/2012/10/password-masking-hurt-signup-form/
  3. 3 https://www.smashingmagazine.com/2015/05/form-inputs-browser-support-issue/
  4. 4 https://www.smashingmagazine.com/2011/12/sisyphus-js-client-side-drafts-and-more/
  5. 5 https://www.smashingmagazine.com/2016/07/keeping-your-business-and-clients-safe-with-digital-policies/
  6. 6 https://www.smashingmagazine.com/wp-content/uploads/2016/05/01-godaddy-opt.png
  7. 7 https://www.smashingmagazine.com/wp-content/uploads/2016/05/01-godaddy-opt.png
  8. 8 https://www.telesign.com/resources/research-and-reports/telesign-consumer-account-security-report/
  9. 9 https://www.smashingmagazine.com/wp-content/uploads/2016/05/02-browserstack-opt.png
  10. 10 https://www.smashingmagazine.com/wp-content/uploads/2016/05/02-browserstack-opt.png
  11. 11 https://storify.com/lukew/yahoo-display-password-test
  12. 12 https://www.smashingmagazine.com/wp-content/uploads/2016/05/03-lukew-opt.png
  13. 13 https://www.smashingmagazine.com/wp-content/uploads/2016/05/03-lukew-opt.png
  14. 14 http://www.lukew.com/ff/entry.asp?1941
  15. 15 https://blog.codinghorror.com/passwords-vs-pass-phrases/
  16. 16 https://www.smashingmagazine.com/2015/12/passphrases-more-user-friendly-passwords/
  17. 17 https://www.smashingmagazine.com/wp-content/uploads/2016/05/04-simple-opt.png
  18. 18 https://www.smashingmagazine.com/wp-content/uploads/2016/05/04-simple-opt.png
  19. 19 https://blogs.dropbox.com/tech/2012/04/zxcvbn-realistic-password-strength-estimation/
  20. 20 https://dl.dropboxusercontent.com/u/209/zxcvbn/test/index.html
  21. 21 https://www.simple.com/
  22. 22 https://www.americanexpress.com/us/content/express-checkout/
  23. 23 https://www.smashingmagazine.com/wp-content/uploads/2016/05/06-medium-opt.png
  24. 24 https://www.smashingmagazine.com/wp-content/uploads/2016/05/06-medium-opt.png
  25. 25 http://blog.mailchimp.com/social-login-buttons-arent-worth-it/
  26. 26 https://www.smashingmagazine.com/wp-content/uploads/2016/05/07-slack-opt.png
  27. 27 https://www.smashingmagazine.com/wp-content/uploads/2016/05/07-slack-opt.png
  28. 28 https://slack.com/
  29. 29 http://blog.matthew-marshall.com/post/92431188090/the-awesome-mobile-login-experience-of-slack
  30. 30 https://support.apple.com/en-us/HT204587
  31. 31 https://www.smashingmagazine.com/wp-content/uploads/2016/05/08-windows-hello-opt.png
  32. 32 https://www.microsoft.com/en-us/windows/features
  33. 33 https://www.smashingmagazine.com/wp-content/uploads/2016/05/08-windows-hello-opt.png
  34. 34 https://blogs.windows.com/windowsexperience/2015/03/17/making-windows-10-more-personal-and-more-secure-with-windows-hello/
  35. 35 https://www.bioid.com/Products/BioID-Web-Service
  36. 36 https://www.keylemon.com/api/home
  37. 37 http://authentify.com/solutions/authentication-concepts/voice-biometric-authentication/
  38. 38 https://msdn.microsoft.com/en-us/library/windows/desktop/dd401509(v%3Dvs.85).aspx
  39. 39 http://www.usekeytouch.com/
  40. 40 http://www.knocktounlock.com/
  41. 41 https://www.smashingmagazine.com/wp-content/uploads/2016/05/09-tether-iphone-app-opt.png
  42. 42 https://www.smashingmagazine.com/wp-content/uploads/2016/05/09-tether-iphone-app-opt.png
  43. 43 http://www.hellotether.com/
  44. 44 https://twitter.com/smashingmag/status/734669554190798848
  45. 45 https://www.smashingmagazine.com/2016/01/nobody-wants-use-your-product/

↑ Back to top Tweet itShare on Facebook

Drew Thomas is an entrepreneur, a consultant, and an ecommerce expert. He's currently working on an ecommerce platform called Really Simple Store. He previously cofounded and ran Brolik, a digital agency, as CCO and then CTO. He lives in Austin, TX.

  1. 1

    Even worse than passwords are the challenge/security questions used here and there. Sometimes you need to input “your first pet’s name” when retrieving a lost password, at least one page I know raises this question along with the username password based login… I basically use this fields to introduce just another strong password for the site (because, well “Buddy” etc. doesn’t seem very secure?). I wish they would disappear.

    7
  2. 2

    There’s one significant use case neglected by this otherwise excellent article that I rely upon daily: credentials shared between multiple users.
    Whilst, in theory, we should create a unique user account within a larger organisation account for every single cloud service my agency uses, sheer practicality dictates that this is impossible.

    U/P combinations are shareable and practically, it’s the only solution. I couldn’t hook the company browserstack account (for example) to a single device, biometric identifier, two factor login (via email or device) etc. becuase it’s used by multiple people in an unpredictable fashion.

    Huge progress is possible – especially for consumer applications. Like you, I much prefer passphrases to overly complex and arbitrary ‘rules’. There are lots of use-cases where credentials need to be shared, however, and it’s important not to lose track of that. Reducing friction, yay! Just be aware of the unintended consequences :D

    11
    • 3

      Such an excellent point!

      The only good solution I’ve come up with so far would require service providers to switch up their account model slightly. Something like how Facebook does business pages or GitHub works with repo owners and collaborators.

      “Shared” accounts would have an owner (or no owners maybe) and then individual accounts get invited to access the shared account. Everyone only signs in with their personal identity, though.

      I wish I had a better answer, to be honest, but I’m sure solutions will emerge!

      0
    • 4

      If we use emails, accounts created using passwordless authentication can also be shared since anyone can sign in as long as they have access to that email account. One example would be email lists, or a single email address that forwards everything to multiple people.

      1
    • 5

      With iOS devices you can add multiple fingers for Touch ID. So you can add multiple users to one of those devices by just adding their fingers.

      0
  3. 6

    Drew, that was a very good read. I like how you did you rating on each of the presented methods. Like you I think the biggest issue of keeping other forms of authentication back is trust. For the past two decades we have been trained to use user name and password for everything online. While tech people maybe open to new authentication technoligies non-tech people that barely trust user name/password won’t switch easily.

    4
  4. 7

    Brian Ghidinelli

    June 6, 2016 5:24 pm

    Another way of dealing with passwords is to use a password manager (e.g. LastPass). Incredibly strong service-specific passwords, one master password to remember, available on all devices. Having had my Google Authenticator account reset during an iPhone upgrade, I’m weary of the “good” usability score above.

    This review also overlooks mandatory compliance such as PCI DSS for merchants which have authentication requirements that must be met. E.g., a passwordless authentication system would not be acceptable for any e-commerce vendor.

    1
    • 8

      I’m on vacation, my laptop was stolen and I need to access my emails, from a random devices browser. What now?

      0
      • 9

        Stanislovas

        June 16, 2016 5:50 pm

        LastPass passwords are not stored on your computer, so you would just log in to their website and find password in your dashboard.

        -1
        • 10

          Exactly. I use Dashlane, and it’s not stored locally. I can get on any computer (let’s say the hotel computer) and access my passwords. Don’t have your phone? There’s backup codes for those cases too.

          -2
          • 11

            Correct me if I’m wrong, but those password managers need to store all your passwords in retrievable, plain text form.

            So once their database is compromised or they decide to make some millions on the dark net with your data, you’re screwed big time. Every service you’ve been using is compromised.

            0
          • 12

            By “retrievable, plain text form” I mean passwords that can be hacked (two-way encrypted), not unencrypted passwords.

            -1
  5. 13

    Great article, however I don’t share the enthusiasm about biometric methods especially the fingerprint. The user should be able to change the password if it was compromised. That only works ten times for fingerprints, then I’m out of options. My favorites are the two factor and the one with a link via e-mail.

    15
    • 14

      I agree.

      Rating biometric method’s security ‘excellent’ (best of all methods presented here iirc) is like pretending iPhone fingerprint wasnt hacked within 5min. Usabilty is best, security (as of now) pretty bad.

      0
  6. 15

    Anton Gudkov

    June 6, 2016 9:31 pm

    I woudn’t say that passphase is a separate option, it’s sorta an extension of regular login/pass. Biometric authentication is most secure and convenient form, no need to remember or type anything and security level is oustanding. I wish I’d be used everywhere. Haven’t tested windows 10, but fingerprint scanner on my sgs5 works like a charm:)

    -1
    • 16

      Biometric is definitely convenient and easy for users and probably the best form of AUTHENTICATION, but it’s terrible for SECURITY. To be secure, biometric authentication needs another factor that is only known to the user. That’s why two-factor authentication is better for security. The code produced by something you HAVE (phone app, text message, etc.) and the secret that something that only you KNOW.

      There have been plenty of news stories of children unlocking devices with a sleeping parent’s finger and court orders allowing authorities to unlock devices using the fingers of people who have been arrested. And it would pretty simple for criminal elements to compel someone to authenticate with a purely biometric means.

      -1
      • 17

        I agree. I think that the “Excellent” security rating for biometric is too generous. Fingerprints give the illusion of being supremely secure (since only I have my fingerprint) but what makes it insecure is that I leave those everywhere, so while they’re unique, they’re not rare, and short YouTube videos show how to lift fingerprints that will get you into an iPhone every time. It’s not an instant process, but it’s perfectly plausible that if someone steals your TouchID device, they’ll be able to get into it soon with your fingerprint (unless you always wore gloves when using it).

        -1
        • 18

          Now if fingerprint scanners could take your pulse at the same time, or some other way make sure the finger was “alive,” then you’d have something pretty secure.

          -1
  7. 19

    I wouldn’t be promoting removal of the password mask or even having it off by default. So all it would take would be a photograph of your screen to get your password? Seems like a bad idea to me.

    8
    • 20

      I had the same thought while reading that–definitely NOT a good default setting. There are many times someone else is standing nearby who shouldn’t see my password, whether a colleague at work or child wanting a device unlocked or connected to the Internet. The author may not have a problem sharing his password on a screen, but that doesn’t make it the best solution for everyone else out there. Having the OPTION to view it is definitely an improved user experience, however.

      -1
  8. 21

    (One of the) problems with biometrics. If the Taliban get a copy of the database, you can never not be identified as their enemy:

    http://mobile.tolonews.com/en/afghanistan/25653-taliban-used-biometric-system-during-kunduz-kidnapping

    4
  9. 22

    Šime Vidas

    June 7, 2016 6:21 am

    Why is the implementation field say “weak” for passwordless authentication? I thought, it’s relatively simple to implement using a server-side package.

    0
  10. 23

    James Edwards

    June 7, 2016 7:48 am

    Imagine a site that told you what password to use instead of letting you choose your own; that you could never change it, and that you then had to use the same password for every other site, for the rest of your life.

    You just imagined biometrics – the least secure and least private authentication method of all the ones described :-)

    14
    • 24

      Daniel Dayag

      June 7, 2016 9:01 am

      The password you describe is yourself and there is only one you in the world :) Also a fingerprint is not something you can write down or type in, so I’m not sure it can be simply compared to passwords.

      As biometric recognition gets better so does its security (automatically and for all users), while passwords are based on the assumption that the user will create a strong and unique password which they usually don’t.

      -1
      • 25

        Michał Sadowski

        June 7, 2016 1:33 pm

        Biometrics raise another, big set of problems. Sometimes our biometric parameters change (I agree, it’s not often, but it does happen. I’m sure someone who lost an arm in an accident wouldn’t be too happy to be locked out of his apps on top of everything), and the authentication methods can be fairly easily fooled.
        But even bigger problem is – how do we ensure security of the stored data? Mistakes happen even to the biggest, as the fappening showed us all. Your password got stolen out of some database? Well, sucks to be you, you’re gonna spend some time changing passwords everywhere and you might’ve lost some money from your account. Your iris pattern or fingerprints got stolen? Now, that’s some bigger problem.

        10
  11. 26

    Biometrics may be the most comfortable but also the least private authentication method. Leaks happened and leaks will happen. What we see as safe and secure today may be easily exploited in 10 years. Guess what happens when quantum computing gets real every encryption up to date can be cracked in way less time then what is required today.
    My favourites are the passphrases and the passwordless authentication.

    9
  12. 27

    One option you didn’t explore is SSL (certificate) authentication. Although I’m not advocating for it. Exploring the technology is important as some sites do use this.

    Here is some basic information on it:
    https://security.stackexchange.com/questions/3605/certificate-based-authentication-vs-username-and-password-authentication

    6
  13. 28

    Biometric rating: security excellent, usability excellent? That’s the theory, in practice you’ll have neither, but rather a compromise which is: security medium, usability medium.

    While finger prints are unique, a computer can only compare similarities, so that someone else’s finger might be good enough. In weaker implementations you can bypass it by trying pressing harder or weaker or scanning your fingers sideways (with ten fingers you can create a lot of different patterns). In harder implementations you’ll get a problem in winter when your fingers are still cold and won’t match the saved finger print pattern.

    Camera sensors are even weaker because you can just hold a picture before it. Infrared might be an option but nobody has such a camera.

    In conclusion the more secure it becomes the less usable it becomes. You won’t find an implementation which is “excellent” in both categories.

    3
  14. 29

    This article gives a good overview, but the ratings are just a personal opinion which is not backed up by any data. For example I don’t see why Mailchimp’s statement about social logins shouldn’t be true anymore. “A user needs to remember how they originally signed up to sign in.” That won’t change just because users get more familiar with social logins.

    0
  15. 30

    The article was well written and researched, but lacks a lot of really basic authentication principles – e.g. while the assessment criteria of Implementation, Security and Usability are easy to understand, they are not good criteria for measuring any particular mode of authentication. As several users have humorously pointed out, you can’t easily change yourself if your biometric data has been compromised.

    At the very least, the article should have use a more rigorous analysis of the criteria using the first principles of security: i.e. it will be one or more factors out of: what you know (knowledge), what you have (possession), and what you are (inherence). Each of these will have its own pros and cons, and with a better understanding of that, we will have a more robust analysis rather than one person’s opinion of the options.

    But for starters, you could do worse than Wikipedia: https://en.wikipedia.org/wiki/Multi-factor_authentication

    1
  16. 31

    Biometrics are of course less private, however that is well understood and is, or should be, factored into the design of any biometric system. A strong system must be designed so that anything hacked is useless to the hacker:
    – Liveness detection is required to prevent attacks using photos, videos or other copies
    – Raw data (e.g. photos) should not be stored, only irreversible templates (mathematical representations of the unique features)
    – Biometric data should be stored anonymously, so that an attacker cannot know who it belongs to

    Finally, the template should be revocable: if compromise is suspected, the template is simply deleted and the user enrolls their biometrics again (e.g. with a new anonymous ID).

    0
  17. 32
  18. 33

    It is now possible to authenticate to your Mac using your Apple Watch

    -1
  19. 34

    Probably someone should also explore different levels of authentication. For example with some bank cards you have to have a physical device (the card) and enter only a very basic code (the PIN).

    Translated to the world of Internet capable devices (computers, smartphones, tablets, …) this would enable users to have something installed on a trusted device after an initial (safe one-step) login. The trusted device could be recognized, and therefore the user only be confrontated with a very simple login that’s easy to remember (like a phone login screen, a simple password etc.) and only required to fully authenticate every once and then (e.g. via 2FA).

    1
    • 35

      Ihab Shoully

      June 17, 2016 4:41 pm

      I like that, specially on mobile, but how to implement it ? sure you don’t wanna store mac address or any identifier already built in!

      The bank physical card had strong combination of passwords and sometimes private network for ATM’s.

      0
    • 36

      I’ve been requesting that from my bank for years. Forcing me to type my password every time I want to use their app installed on my phone (already protected with a PIN) almost forces me to use a weak password because of how clumsy the on-screen keyboard is. Let me use a PIN and if I screw up 3 or 4 times, THEN make me use the password again.

      They still haven’t done that, but I can finally use Touch ID on my phone to sign in to the app. It’s a step in the right direction–definitely easier to sign in, but I’d still prefer a PIN that only I know. (Someone else could still use my thumb to sign in to my online banking.)

      1
  20. 37

    Hemang Rindani

    July 6, 2016 12:33 pm

    There are ways to secure an account other than password, but my question is that is it possible implement systems like bio-metric everywhere are replace the passwords? Answer to this will be instant ‘No’. There are two reasons why you won’t change a password. One, it is accepted by everyone and has become an habit. Two, including biometrics is costly and there are still very less systems that come with biometric scanner.
    Ensure that you create a password that is unique to make sure that you stay safe. Also keep an habit of logging out from the account.

    1

↑ Back to top