The Future of Internet Passwords
As more of life happens online, from banking to socializing, the usernames and complex passwords we must keep track of has multiplied to staggering proportions. Is there an end in sight for having to create so many different logins?
Looking ahead, experts predict that we will further embrace "universal logins" that let us sign in once to gain access to our Web services. Before long, cell phones may serve as personal keys to our own online kingdom. Secure logins might be based more on physical characteristics, such as iris patterns and voices, which cannot be forgotten or misplaced. And further down the road, we may transcend the need for passwords online as we become truly integrated into the electronic realm.
To be effective, today's usernames and passwords often require a complex mix of capital letters, numerals and special characters, such as a pound symbol, with requirements varying by Web site. Although onerous, these requirements have been widely adopted and successful in discouraging registrants from picking easy passwords, such as the name of their pet or a common dictionary word, explained Matt Bishop, a computer scientist at UC Davis.
From a security point of view at least, that's a good thing. But remembering several complex and hopeful effective passwords can be a bad thing.
For many people, the pain of logging in has been eased via "password managers." These programs, usually part of Web browsers such as Mozilla Firefox, remember usernames and passwords and automatically populate these fields onscreen.
While sparing some keystrokes and aggravation, this setup poses an obvious security threat if a computer is stolen. It can also leave one in a lurch when trying to sign into Web sites from another computer.
In place of juggling dozens of logins or relying on password manager prompts, many "single sign-on" services have emerged, which create a master login that then works across different Web sites.
The idea is akin to a government agency authenticating citizens' identities and providing a driver's license. This document is then broadly accepted as proof of identity, allowing someone to open a bank account, say, or buy an alcoholic drink.
In the online world, this credential translates to accessing multiple services. Some 9 million Web sites now accept the single sign-on called OpenID that is authenticated and issued by big companies including Google and Yahoo!.
"You are only authenticating with a single provider and not scattering your identity across the Internet," said Brian Kissel, CEO of JanRain and chairman of the OpenID Foundation.
The single sign-on trend continues to attract big names. Facebook – which also accepts OpenID – launched its own universal login service called Facebook Connect about a year ago.
Yet critics of single sign-on cite the "all eggs in one basket" risk it carries – if one Web site's security is compromised, then all others accepting a user's single sign-on can be as well.
Plus, electronic credentials, much like driver's licenses, can be forged, especially over the Internet.
In just a few years, Bob Blakley of the research firm Burton Group thinks single sign-on will instead be done right from our cell phones. Though cell phones can be lost, people have developed almost a "psychic affinity" for them, Blakley said, realizing quickly when the device is gone, unlike an electronically hacked username and password. In this way, cell phones could act as the "keys" to let us securely login to our computers or right into our Web services without entering additional sign-ins once there.
"Cell phones today are already smarter than the computers that took Apollo 11 to the moon," Blakley told TechNewsDaily. "They have plenty of horsepower to do very secure things in terms of authenticating us to remote Web sites," he said.
These things include technologies based on biometrics – the measurement of a unique or highly personal physical characteristic, such as fingerprints or iris patterns, to prove identity.
"You are your own key and that's the advantage with biometrics – you don't have to carry [identification] cards or remember passwords," said Vic Herring, vice president of sales and business development for the Advanced Technology Group for Fujitsu Frontech North America.
Herring's company makes the Palm Secure, a desktop device geared for businesses that uses near-infrared light to read the vein patterns in employees' palms for secure logins. Herring said the device's false acceptance rate is just 0.0008 percent compared to about one percent for the fingerprint scanners commonly found on laptops.
But however low error rates get, all biometrics are inherently unreliable at some statistical level, said Blakley. "Biometrics doesn't identity you, it merely establishes a probability of having identified you and this is never 100 percent," he said.
Furthermore, environmental conditions can mess up biometric-based logins. A noisy airport can interfere with voice recognition, for example, not to mention a voice-altering cold or injury. "With biometrics, you need to take into account illnesses and natural changes," said Bishop.
Recognizing the future
In perhaps a decade, Blakley thinks logging in will no longer rely on authentication – proving who one is to a computer or an online registry – but instead recognition will take over.
As bandwidth continues to increase , electronic presences will increase to such an extent that Web services and companies will be able to tell who one is without the online consumer having to present a secret code.
The traditional logging in with a username and password might go the way of the floppy disk.
Still, despite their flaws, passwords have a long historical precedent that may be hard to break from in the future online world. "I don't think passwords are ever going to be going away," Bishop said. "I think we will always be using them for something."