Death of the password?

Earlier this week the Daily Mail reported on KPMG’s cyber security predictions for 2016. The article can be found here and the original KPMG blog post here.

The article picked up on a viewpoint which I wholeheartedly share – the password is no longer fit for purpose as a way of securing our applications. We all have so many passwords to remember these days, for so many applications, whilst at the same time being pushed towards more and more complex passwords which are impossible to remember; the inevitable result is that many people either start to write down their passwords, or start to re-use the same complex password for multiple applications in an effort to remember it. Both of these actions massively undermine the usefulness of the password as a way of securing our data.

Not only that, but the complex passwords which many applications push us to use (we’re all familiar with this now – passwords must have a capital, and a number, and a special character…) actually have the worst possible combination of being impossible to remember and easy for a computer to guess! Check out this brilliant cartoon for an explanation: https://xkcd.com/936/

I completely share the opinion of Dave Ferbrache from KPMG that we need a more sophisticated approach to authentication; passwords may form part of this, but authentication should include other factors as well such as biometrics and contextual information. For example, we might have a situation where a password is required to access an application if logging in from the UK, but if it is detected that you are logging in from overseas, an additional factor of authentication could be required – maybe a fingerprint scan, or a one-time password sent to your phone. Some application vendors are already paving the way for this – if you use Google Apps you may have noticed when logging in that the username and password fields are no longer on the same page; this means that Google can easily interleave additional authentication methods into the login flow in the future.

The good news is that the technology to implement this kind of authentication framework exists, and is ready for enterprise deployment. We’ve worked with many customers to deploy advanced authentication combining contextual information with multi-factor approaches to ensure secure authentication to applications; Ping Identity’s industry leading PingFederate and PingID products provide the core technology required, with tremendous flexibility to integrate almost any authentication method.

However, a quick glance at the comments below the Daily Mail article shows that the industry has a long way to go in terms of educating the wider public; there is a great deal of wariness of biometrics in particular, and many people view such technologies as a creeping ‘big brother’ state. Whilst we in the industry may realize that this is misplaced, if we are to ever move on from passwords as the primary form of authentication, we need to take seriously our responsibility to de-mystify this technology for the every-day user, because as long as there is suspicion, we will never be able to drive adoption of modern authentication techniques, and all of our data will continue to be at risk.