These Guys Want to Obliterate Passwords

After 50 years of hiding our valuables behind passwords, a world without the ubiquitous security measure may sound scary to some, utopian to others. In any case, a post-password world is an inevitability we need to prepare for sooner rather than later.

In the process of investing more of ourselves into computers, and of nestling deeper into the cloud, we've passively entrusted key components of our personal lives to an edifice most of us don't fully understand, and guarded against attack with simple seven- or eight-character shields. As a safety barrier, the password has already failed us many times over—just ask Mat Honan, the tech writer who last August nearly lost all the photos of his one-year-old daughter, along with personal documents, in the hack heard round the world.

"Password-based security mechanisms—which can be cracked, reset, and socially engineered—no longer suffice in the era of cloud computing," Honan wrote at the time. Especially in an era in which "password" is the most popular password on the web. That was the case in 2012 and 2011, according to computer firm SplashData's list of most commonly used passwords. Runners up included "123456," "jesus" and "trustno1."

And so it is this year, two thousand and thirteen, that representatives from our proudest technology companies have chosen to upend the traditional password system and save the fair users of Internetland from our own glaring password ineptitude. This fall, the group Fast Identity Online (FIDO) will roll out a new method of data protection, one leaning more heavily on a seldom-used third dimension of security authentication.

"Our intention is to really obliterate, within a certain number of years, both passwords and PINs and see the whole Internet—including internally in enterprises—obliterate user IDs and passwords and PINs from the face of the planet," said Michael Barrett, PayPal's chief information security officer, at an IT conference in Las Vegas last week. "Left to their devices users will pick horrible passwords and then they'll reuse them all over the place."

Barrett leads FIDO, a newly formed group focused on revamping personal security standards. The group is advocating that people carry around small devices, linked to FIDO, that are capable of identifying and authenticating users on the spot. FIDO would act as an intermediary in the security process.

A popular security standard these days is what's called two-factor authentication, which relies on two ingredients: something a person knows, plus something a person has. For example, to access your bank account you need your physical ATM card and a PIN. For Gmail, you need your phone to receive a one-time key to pair with your regular old password.

FIDO wants to introduce a third puzzle piece to the process: something a person is. As in, something that can't be (easily) stolen, replicated or falsified. Your fingerprint, for example, or your eyeball or your voice. FIDO aims to support all three of those via eye scanners, fingerprint and voice readers, and facial recognition is also on the table.

In his presentation at the conference, Barrett noted that Apple last year acquired a company developing fingerprint reading technology; he speculates that the next iPhone will come equipped with it. Imagine screen locks opened with a swipe of your digit, rather than by 4-digit PINs.

Google, PayPal, Lenovo, Nok Nok Labs, NXP and other tech companies are members at FIDO's round table.

In the meantime, we'll keep piling up the passwords, re-using the same (probably inept) password, or daisy-chaining our personal accounts together. All of the roads currently paved lead to ends both unsafe and inconvenient, Barrett says. If it's not soon fixed, he says, "the average user will be looking for a rope and a tree, either to hang themselves or hang us, I'm not sure which."

Case in point: Honan. "I’m also upset that this ecosystem that I’ve placed so much of my trust in has let me down so thoroughly… someone can make thousands of dollars of purchases in an instant, or do damage at a cost that you can’t put a price on," he wrote. It's time we all lost our trust in that system, as it's not worthy of it right now. But developments on the horizon will hopefully change that.