Out of business?

Photographer: Sean Gallup/Getty Images

It's OK. Forget Your Passwords.

Leonid Bershidsky is a Bloomberg View columnist. He was the founding editor of the Russian business daily Vedomosti and founded the opinion website Slon.ru.
Read More.
a | A

This week, Google's e-mail service Gmail made a tiny change to its log-in procedure. A first screen asks for a username and leads to a separate screen asking for a password. It's a sign of big things to come.

Omer Karatas, a co-founder of the digital security start-up Saaspass, recently told me that participants in last month's RSA conference in San Francisco -- a forum for cryptographers and cybersecurity professionals -- were in broad agreement that passwords were an unacceptable risk. "There was a panel with the heads of security of Dropbox, Amazon Web Services, Rackspace, Google for Work, Microsoft 365," Karatas said, "and when asked about what the biggest issue for the Internet that needed solving, it was like a chorus: 'Passwords need to go.' The only question is how.'"

QuickTake Cybersecurity

In an announcement about the new Gmail log-in screen, Google mentioned it was "working towards introducing new authentication solutions that complement traditional passwords." Splitting the log-in page was a step in this direction, but the goal is to eliminate passwords entirely.

Most computer breaches involve password theft. Hackers can steal them by invading corporate systems -- they have accumulated millions of stolen username-password combinations -- or by picking weak passwords by brute force, which is what apparently happened with the mass theft of nude celebrity pictures from Apple's iCloud last year. No matter how much companies invest in security, there can always be a vulnerability. LinkedIn users have sued the company for weak security that allowed hackers to obtain millions of passwords, but they continue to be vulnerable. And no matter how often people are told to create separate, strong passwords for every application, they will keep using their birthdays and children's names, because our memory is finite.

Technology that identifies users without a password already exists. Google recently presented its advances in facial recognition technology based on artificial intelligence. Intel promises to release an app  that will replace passwords with facial scans.

The latest version of the Google's Android mobile operating system provides for unlocking a phone when it is connected to a trusted Bluetooth device or a near-field communication tag, or even when the user is in a "trusted location" -- the phone's geolocation feature takes care of that.

There are identification techniques based on scanning barcodes with a mobile phone: Saaspass, which has 60 people working on eliminating passwords, uses this technology among others. Another solution is to generate one-time access codes that are sent to a user's phone or produced by a special app. That's what Google uses for so-called two-factor authentication, a feature it pushes to Gmail users. Many online banks also rely on these one-time codes.

Fingerprint scanners, whose price is expected to drop below $5 this year, making it possible to include them in the cheapest phones, are another possibility.

All of these authentication techniques, however, still require the use of a password. A phone can be stolen, the location feature can be misled, and there have been successful hacks of fingerprint scanners, as well as embarrassing accidents with facial recognition systems. Besides, it's always harder to breach two levels of defense than one.

Yet hackers have tricked two-factor authentication, too. 

Another problem is that many of the inventive identification methods are only available to people with the newest gadgets running the most up-to-date software. The world is full of late adopters and non-adopters, however, and major Internet companies such as Google and Facebook cannot afford to demand that all their users upgrade their equipment to be safe.

The solution will probably be a combination of two non-password authentication methods -- say, facial recognition and a phone running a code-generating app, or a fingerprint scan and a text message. Then no one will need to store or remember passwords, and fingerprint scans from a corporate database will be useless to thieves. That, however, won't happen until companies are reasonably sure the technology is reliable and an overwhelming majority of their users have the means to switch. I'm ready: There's no way I can remember all those passwords. 

This column does not necessarily reflect the opinion of Bloomberg View's editorial board or Bloomberg LP, its owners and investors.

To contact the author on this story:
Leonid Bershidsky at lbershidsky@bloomberg.net

To contact the editor on this story:
Max Berley at mberley@bloomberg.net