This content is part of the Security School: Game-changing enterprise authentication technologies and standards
Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Will online authentication ever be free of passwords?

For so long, online authentication has been ruled by personal passwords, but the risks and limitations of these are apparent and so a new generation of online authentication methods is upon us. This video examines why authentication is so important, what failings are inherent in the personal password method, and what the next generation of online authentication will look like.


In this presentation, expert Michael Cobb reviews the shortcomings of a password-based authentication system and explores what we know of the future of authentication. Among the authentication tech he explores are security tokens, biometrics, out-of-band authentication and federated authentication. He also reviews in depth what the Fast Identity Online (FIDO) Alliance is up to.


Watch this video and you'll be prepared for the authentication revolution already in progress.

View All Videos

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Some people shout that the password is dead or should be killed dead. The password could be killed, however, only when there is an alternative to the password. Something belonging to the password(PIN, passphrase, etc)and something dependent on the password (ID federations, 2/multi-factor, etc) cannot be the alternative to the password. Neither can be something that has to be used together with the password (biometrics, auto-login, etc).

At the root of the password headache is the cognitive phenomena called “interference of memory”, by which we cannot firmly remember more than 5 text passwords on average. What worries us is not the password, but the textual password. The textual memory is only a small part of what we remember. We could think of making use of the larger part of our memory that is less subject to interference of memory. More attention could be paid to the efforts of expanding the password system to include images, particularly KNOWN images, as well as conventional texts.
Regarding passwords, the two major problems are well stated in the presentation: Password predictability and insecure storage of passwords by online services. By far, the most important of the two is the latter. Regardless of what the password is, if a breach to an online service reveals it to hackers, then they don't have to guess it. But let us be practical here and state the real root of the problem, TMW: Too Much Work. People don't want to work hard to get what they want online because they have been conditioned by instant gratification. They want to click the button and have what they requested magically appear on their screen or their doorstep.

But let's not just disparage the user because the online services and the web developers share the responsibility. We have had the ability for a long time to force users to choose complex passwords. It's quite simple, really. Just create some code that compares a person's password to "123456" and the 499 other commonly used passwords at the time the account is created and refuse to allow those. Then, salt and hash the password before storing it. Start setting the expectations a bit higher.

Oh, I forgot. TMW.
I believe it will be eventually. That said, I don't believe it'll be mainstream for another decade or so. It'll certainly be nice. I'm just not sure how it's going to tie in with the growing concerns around online privacy. I still suspect we'll see the rudimentary username/password combination being used for authentication in various areas for a few decades to come.
God. My answer to a prior question...(pasted below) covers this. I don't think people are smart enough to get past passwords and the simplest of authentication methods. It's a speed and convenience thing. People still don't lock their phones because remembering yet another four-digit code is hard for them to weave into their daily life. While biometrics and other security solutions might seem streamlined and easy - people are not of the ilk to learn how to open these gates on a regular basis.

Here's that other comment...

There's no question that biometrics are going to EVENTUALLY be the norm in security systems if they work, are affordable, are less likely to be breached than current methods, and if people can understand them. There are entire organizations around the world using ADMIN and PASSWORD as their passwords. Do you actually think something more technically sophisticated than a password box on a screen is going to be an easy hurdle for the world to jump over? Me either. But I hope things continue to move forward in this area. Biometrics are fun.