“There is no doubt that over time, people are going to rely less and less on passwords. People use the same password on different systems, they write them down and they really don’t meet the challenge for anything you want to secure.”
None other than Bill Gates said this. Back in 2004.
People in the business of keeping data secure will tell you that passwords should have gone the way of dial-up Internet by now. Sure, back in the day, when we only needed them for two or three websites and hackers weren’t nearly so diabolical, we could get away with using the same “123456″ password for everything, without worrying that someone on the other side of the world was a click away from emptying our bank accounts.
Ah, sweet innocence. Now, we have an average of 24 different online accounts, for which we use at least six different passwords. And we need them for tablets and smartphones, too. If we’ve heeded the security gods—although most of us haven’t—we’ve abandoned the memorably quaint for strange, long combos of numbers, letters—capital and lower case—and symbols that dare to be remembered. (Then again, most of us don’t seem to have a knack for this passwords thing, considering that year after year, the world’s most popular password is still the word “password.”)
Not that conjuring up the perfect password guarantees immunity from code crackers. Just last week the giant game company Ubisoft admitted that its database had been breached and advised those with Ubisoft accounts to change their passwords immediately. Last summer’s big cybersecurity caper was a hack of LinkedIn, in which more than 6 million encrypted passwords were exposed.
It’s time, it would seem, for a better idea.
So, who figures to make the first big splash in the post-password world? Right now, a lot of the betting is on Apple, with speculation that the killer feature of the iPhone 5S coming out later this year will be a fingerprint scanner, perhaps embedded under the home button. Some Apple watchers think the iWatch, also expected on the market by the end of 2013, will likewise come with scanner capabilities that would allow the device to verify the user’s identity. Apple tipped its hand last year when it paid $356 million for AuthenTec, a company that develops fingerprint scanners.
Other big names pushing for the password’s demise are Google and PayPal, two of the key players in an industry group known as FIDO, which stands for Fast IDentity Online Alliance. FIDO isn’t boosting any particular approach to identity recognition; mainly it plans to set industry standards. But it is promoting what’s known as two-step verification as a move in the right direction.
This is when you’d be identified by a combination of “something you know”—such as a password—with “something you have”—such as a token that plugs into your device’s USB port—or “something you are”—such as your fingerprint. This combo of a password and a device you carry around with you—Google security experts have suggested a log-in finger ring—would be a lot safer than a simple password, and would let you use an easy-to-remember password, since the account can’t be hacked without your ring or your fingerprint.
And once fingerprint sensors or face and voice recognition software become more common, it will be that much easier for passwords to simply fade away.
That feels inevitable to Michael Barrett, chief information-security officer of PayPal and president of FIDO. “Consumers want something that’s easy to use and secure,” he says. “Passwords are neither.”
A fingerprint scanner on your phone is only the beginning. There are a number of other inventive, and yes, even bizarre ideas for replacing passwords. Among them:
- Coming soon to a stomach near you: Let’s start strange. At a conference in late May, Regina Dugan, head of advanced research at Motorola, suggested that one day you’ll be able to take a pill every day that would verify your identity to all of your devices. The pill would have a tiny chip inside and when you swallow it, the acids in your stomach would power it up. That creates a signal in your body, which, in essence becomes the password. You could touch your phone or your laptop and be “authenticated in.” No, it’s not happening any day now, but the FDA has already approved its precursor—a pill that can send information to your doctor from inside your body. In other words, it’s a lot more plausible than it sounds.
- So, how about a tattoo that spells “password:” But that’s not all Dugan projected for the future. She also showed off an electronic tattoo. Motorola, now owned by Google, is working with a company named MC10, which has developed this “stretchable” tattoo with its own antenna and sensors embedded in it. It’s so thin, it can flex with your skin. And it would serve as your password, communicating with your devices and verifying that you are who you say you are.
- Now, what are all these keys for?: Back to the present. A Canadian company called PasswordBox is now offering a free app that remembers and automatically enters all your passwords across all your platforms. It signs you into websites, logs into apps, and enables you to securely share your digital keys with friends and loved ones—all through an app for your smartphone and a Chrome browser extension for your desktop. Its pitch is one-click login everywhere.
- Would my heart lie?: Another Canadian company called Bionym is building its business around the fact that heartbeats, like fingerprints, are unique. Its approach is to turn your heartbeat into a biometric pass code that’s embedded in a wrist band which, in turn, uses Bluetooth to let your machines know you’re the real deal.
Video bonus: Let’s go back to the future with John Chuang, a researcher at the UC Berkeley School of Information. He’s working on the idea of allowing people to verify their identities through their brain waves. Okay, at least hear him out.
Video bonus bonus: The Internet Password Minder is a stroke of…something. Even Ellen DeGeneres was impressed, in a funny way.
More from Smithsonian.com
How You Type Could Become Your New Password