Why is the password still dead

Everyone hates the old authentication methods. But change comes with its drawbacks.

There are some sci-fi promises to be made in the future: plane packs, flying cars, and a Mars colony. But there are also some seemingly achievable goals that are always felt on the horizon in some way. And one of the most scary things is the end of passwords. The good news is that the infrastructure - across all major operating systems and browsers - largely supports passwordless login. Is there less good news? You will still associate passwords with multiple sites and services every day, and they will for a while.

There is no doubt that passwords are an absolute security nightmare. Creating and managing them is annoying, so people often reuse them or choose predictable entries - or both. Pirates are the happiest of them. In contrast, unencrypted entries are authenticated with features that are inherent and difficult to steal, such as biometrics. Nobody wants to guess your mark.

When you unlock your phone, for example, by scanning your face or finger instead of a password, you are using some version of this version. These mechanisms work locally on your phone, and companies don't need to store a large number of user passwords - or sensitive biometric details - for login verification on the server. You can now also use standalone physical signals for wireless and password-free access in certain cases. The idea is that you'll eventually be able to do this for just about anything. Why does Mark Reicher, Google's senior product manager for identity and security operating systems, still password says: Advertising

In late June, Microsoft Windows 11 announcement included deeper integration of passwordless logins, especially for login devices that use metrics Vital or personal identification numbers. Apple announced a few weeks ago that its new iOS 15 and macOS Monterey will use a new option called Passkeys in iCloud Keychain, a step toward using biometrics or device pins to sign in to more services. And in May, Google discussed its efforts to improve secure password management while trying to keep customers away from passwords.

Despite these and other industry efforts to attract development with a password-free world, providers and users face two major challenges: one is that while passwords are degrading globally, they are all too familiar and widespread . It is not easy.

“This is a learned behavior. Set — the first thing you do is set up a password,” says Andrew Shekiar, CEO of the FIDO Alliance, a longstanding industry association. "So the problem is that we depend on a really weak foundation. What we need to do is break that dependence."

This has been a painful detox. The dedicated FIDO team has been studying user experience for the past year to advise not only about the passwordless technology itself, but also how to present it to the general public and better understand the security benefits. FIDO says organizations that enforce password-free standards find it difficult to accept users of the feature, so the consortium has published user experience guidelines it believes will help with framing and presentation. “If you succeed, they will come,” Shekiar wrote last month.

The second hurdle is more complex. However, owning one is still beyond the reach of the average person. In practice, this is a relatively narrow case. Many people around the world share devices and cannot upgrade them regularly or use special phones if they are available.

As password-free implementations become increasingly standardized, so have account recovery options. When security questions or PINs are provided as a backup option, you are still only using passwords in a different format. So unencrypted builds go to systems where a previously authenticated device can scan a new device as trusted. "Let's say you left your phone in a cab, but your laptop is still at home," says Google Reacher. "You get a new phone and use your laptop to bless the phone, and you can backup yourself somehow. And then when someone finds your lost phone, it stays protected by the local device lock." You don't want to pass the password issue only to account recovery.

Sure, this is easier than keeping track of backup codes in a tab, but again, it raises the issue of creating options for people who don't maintain or maintain multiple personal devices.

With the prevalence of Without a password, these practical questions about porting remain.1Password, naturally concerned with the continued dominance of passwords, says it is happy to accept password-free authentication everywhere, which makes sense. For example, in iOS And on Apple's macOS, you can unlock the 1Password beta using TouchID or FaceID instead of typing your master password.

There are slight differences between the master password that locks the password and the passwords stored within. Password Vault to authenticate servers that also store a copy of the password. The master password that locks your bracket is yours alone. "You never know," says Akshay Bhargava, Chief Product Officer at 1Password.

Login is Without a password, at least for now, more boring Fit some scenarios. He also noted that some long-term concerns about password options remain. For example, biometrics are ideal in many ways for authentication, as they virtually convey your unique physical presence. But the widespread use of biometrics this year raises the question of what happens if information about, say, your fingerprint or face is stolen and can be falsified by attackers. And while you can change your password to your liking - the best quality is authentication - your face, finger, voice, or heart rate are immutable. Creating a password-free ecosystem requires more time and experiments that can replace all the possibilities of passwords, especially passwords that do not leave billions of people without a smartphone or multiple devices. Sharing accounts with trusted people is more difficult in a passwordless world, and connecting everything to a device like yours gives hackers more incentive to threaten that device.

You still have to follow them until the passwords are completely gone. WIRED's recommendation for years, when using strong and unique passwords, is a password manager (there are many good options)) and provide two-factor authentication wherever you can. But you see, some of your most sensitive accounts click without a password, like when you start Windows 11. You might feel like lifting weights you didn't even know existed.

This story first appeared on

Why is the password still dead
why-is-the-password-still.html It warns that Starlink and similar networks can block each other's signals

It warns that Starlink and similar networks can block each other's signals

Ofcom says the complexity of giant satellite networks raises concerns about interference.

A British government agency is concerned that Space... Let's talk about machine learning experiments that went right and wrong

Let's talk about machine learning experiments that went right and wrong

Join the original audition on Wednesday, July 28 at 1:00 PM ET!

We've spent the past few weeks burning large amounts of AWS computing time tr... Explosive iOS spy report shows Android security limitations

Explosive iOS spy report shows Android security limitations

Amnesty International finds the incompatibility tool used by the NSO Group worrisome.

The shadowy world of private spyware has long sounded t...


... Our AI title test continues: Did we break the device?

Our AI title test continues: Did we break the device?

In Part Three of Four, we look less at what went right and what went wrong.

We are now in the third phase of machine learning projects - that...