We at SALSA have long bemoaned (and celebrated) the password. It is the bane of our existence, but it has (let's be frank) worked over the past 30 years (as it has yet to find a worthy replacement). In today's NYT, Somini Sengupta explores what's next. Please, Somini, help us. Cheers, -DGA
Published: December 23, 2011
Passwords are a pain to remember. What if a quick wiggle of five fingers on a screen could log you in instead? Or speaking a simple phrase?
Fred R. Conrad/The New York Times
Fred R. Conrad/The New York Times
Neither idea is far-fetched. Computer scientists in Brooklyn are training their iPads to recognize their owners by the touch of their fingers as they make a caressing gesture. Banks are already using software that recognizes your voice, supplementing the standard PIN.
And after years of predicting its demise, security researchers are renewing their efforts to supplement and perhaps one day obliterate the old-fashioned password.
“If you ask me what is the biggest nuisance today, I would say it’s the 40 different passwords I have to create and change,” said Nasir Memon, a computer science professor at the Polytechnic Institute of New York University in Brooklyn who is leading the iPad project.
Many people would agree. The password has become a monkey on our digital backs — an essential key to our many devices and accounts, but increasingly a source of exasperation and insecurity.
The research arm of the Defense Department is looking for ways to use cues like a person’s typing quirks to continuously verify identity — in case, say, a soldier’s laptop ends up in enemy hands on the battlefield. In a more ordinary example, Google recently began nudging users to consider a two-step log-in system, combining a password with a code sent to their phones. Google’s latest Androidsoftware can unlock a phone when it recognizes the owner’s face or — not so safe — when it is tricked by someone holding up a photograph of the owner’s face.
Still, despite these recent advances, it may be premature to announce the end of passwords, as Bill Gates famously did in 2004, when he said “the password is dead.”
“The spectacularly incorrect assumption ‘passwords are dead’ has been harmful, discouraging research on how to improve the lot of close to two billion people who use them,” Cormac Herley, a researcher at Microsoft, the company that Mr. Gates founded,wrote in a recent paper. Mr. Herley suggested instead that developers try “to better support the use of passwords” — for example, by helping people protect their wireless connections from eavesdroppers. “Passwords,” Mr. Herley continued, “have proved themselves a worthy opponent: all those who have attempted to replace them have failed.”
The touch-screen approach of Professor Memon in Brooklyn works because, as it happens, each person makes the same gesture uniquely. Their fingers are different, they move at different speeds, they have what he calls a different “flair.” He wants logging in to be easy; besides, he said, some people find biometric measures like an iris scan to be “creepy.”
In his research, the most popular gestures turned out to be the ones that feel most intuitive. One was to turn the image of a combination lock 90 degrees in one direction. Another was to sign one’s name on the screen. In principle, the gesture can be used to unlock a device, or an app on the device that safely holds a variety of passwords.
Despite their resilience, passwords are weak, notably because their users have limited memories and a weakness for blurting out secrets. Most people need dozens of them, and they tend to pick ones that are so complex they need to be written down, or so simple they can be easily guessed. Recently, criminals have become adept at stealing passwords by sneaking malicious software onto computers or tricking users into typing them into an illegitimate site.
Companies like Facebook and Twitter have sought to address the frustration with passwords by allowing their usernames and passwords to open the door to millions of Web sites, a convenience that brings obvious risks. A thief with access to a master username and password can have access to a host of accounts.
Rachna Dhamija, a California computer scientist turned entrepreneur, sought to combat those weaknesses by breaking up the password. The user first logs in to the service that Ms. Dhamija built, UsableLogin, and signs in with her own partial password. Behind the scenes, the service verifies that the user is on an authorized device, and pulls the third piece from the cloud, generating a unique password for any Web site that the user wants to log in to — Facebook, for instance. In other words, one piece of the password rests with the user, another is stored in her device, and a third piece is kept online.
“You take a secret and you spread it across,” said Ms. Dhamija, whose service was recently acquired by Webroot Software, based in Broomfield, Colo. “You’re spreading the risk. The password is not stored in its whole form anywhere.”
But even if a user has been authorized at the start of a session, what if someone else gains access to her computer an hour later? Darpa, the Defense Department’s technology research arm, has invited security researchers to develop ways to verify a user every instant, based on the way the individual uses the machine — “for example, how the user handles the mouse and how the user crafts written language in an e-mail or document,” it explains on its Web site.
Each of these techniques is driven by the notion that a password alone is an insufficient means to verify online identity. Think of them as a fortification: a password-plus.
Many companies use a smart card or a security “dongle” — a small piece of hardware that plugs into the computer and functions as a key — as that second step of verification to allow access to internal networks. Today, biometrics — an individual’s unique physical traits — are emerging as an alternative.
At least a half-dozen banks in the United States ask their customers to verify who they are by reciting a two-second phrase to a computer over the phone, in addition to punching in their PINs. It could be as simple as “at my bank,” and a million customers could recite the very same phrase and still sound unique, according to Nuance Communications, a company based in Burlington, Mass., that makes the technology.
As mobile phones become bodily appendages for people worldwide, they too are emerging as instruments to verify identity. Google introduced its two-step process earlier this year. It sends a six-digit code to an application on a Google user’s cellphone to be entered, along with a password, when signing onto a Google account on a computer or tablet. The code can also be sent as a text message for those who don’t have smartphones, or it can be conveyed through a phone call.
The extra step is not mandatory, and the company will not say how widely it has been adopted. But as vulnerable as passwords are to theft and compromise, Google says, it is increasingly important for a user’s identity to be verified through another channel — a cellphone, in this case.
“I think we’ll start to see people using their mobile devices as their pervasive identifiers,” said Brendon Wilson, a security researcher at Symantec. “The password will no longer be the final arbiter that you are you. You will see layers on top.”