Google’s email service Gmail made a tiny change to its log-in procedure last week. A first screen asks for a username and leads to a separate screen asking for a password.
It’s a sign of big things to come.
Omer Karatas, a co-founder of the digital security startup Saaspass, said participants in last month’s RSA conference in San Francisco – a forum for cryptographers and cybersecurity professionals – were in broad agreement that passwords were an unacceptable risk.
“There was a panel with the heads of security of Dropbox, Amazon Web Services, Rackspace, Google for Work, Microsoft 365,” Karatas said. “When asked about what the biggest issue for the Internet that needed solving, it was like a chorus: ‘Passwords need to go.’
“The only question is how.”
In an announcement about the new Gmail log-in screen, Google mentioned it was “working toward introducing new authentication solutions that complement traditional passwords.” Splitting the log-in page was a step in this direction, but the goal is to eliminate passwords entirely.
Most computer breaches involve password theft. Hackers can steal them by invading corporate systems – they have accumulated millions of stolen username-password combinations – or by picking weak passwords by brute force, which is what apparently happened with the mass theft of nude celebrity pictures from Apple’s iCloud last year.
No matter how much companies invest in security, there can always be a vulnerability.
LinkedIn users have sued the company for weak security that allowed hackers to obtain millions of passwords, but they continue to be vulnerable. And no matter how often people are told to create separate, strong passwords for every application, they keep using birthdays and children’s names, because our memory is finite.
Technology that identifies users without a password already exists. Google recently presented its advances in facial recognition technology based on artificial intelligence. Intel promises to release an app that will replace passwords with facial scans.
The latest version of Google’s Android mobile operating system provides for unlocking a phone when it is connected to a trusted Bluetooth device or a near-field communication tag – or even when the user is in a “trusted location” – the phone’s geolocation feature takes care of that.
There are identification techniques based on scanning barcodes with a mobile phone.
Saaspass, which has 60 people working on eliminating passwords, uses this technology among others. Another solution is to generate one-time access codes that are sent to a user’s phone or produced by a special app. That’s what Google uses for so-called two-factor authentication, a feature it pushes to Gmail users. Many online banks also rely on these one-time codes.
Fingerprint scanners, whose price is expected to drop below $5 this year – making it possible to include them in the cheapest phones – are another possibility.
All of these authentication techniques, however, still require a password. A phone can be stolen, the location feature can be misled, and there have been successful hacks of fingerprint scanners and embarrassing accidents with facial recognition systems.
Besides, it’s always easier to breach one level of defense than two.
Yet hackers have tricked two-factor authentication, too.
Another problem is that many of the inventive identification methods are available only to people with the newest gadgets running up-to-date software. The world is full of late adopters and nonadopters, however, and major Internet companies such as Google and Facebook cannot afford to demand that all their users upgrade their equipment to be safe.
The solution will probably be a combination of two non-password authentication methods – say, facial recognition and a phone running a code-generating app, or a fingerprint scan and a text message. Then no one will need to store or remember passwords, and fingerprint scans from a corporate database will be useless to thieves.
That, however, won’t happen until companies are reasonably sure the technology is reliable and an overwhelming majority of their users have the means to switch.
I’m ready: There’s no way I can remember all those passwords.