I’ve been experimenting with some alternative password management schemes lately, which got me to thinking: what will replace passwords? They’ve been around a very long time, and yet remain largely unchanged as a mechanism, despite their ubiquity. They’re a little like toilet paper: they’re antiquated, they’re a pain in the ass if you use them too often, and they usually aren’t strong enough. Think of all of the things that have advanced so much in society over the last one thousand years, and passwords are still just some junk you remember. So what can be done about the fact that the only thing protecting out secrets is only as good as toilet paper?
Well…our options aren’t great. There’s biometrics, like fingerprints and retina scans; multi-factor authentication, like having a third party text you a six digit code to prove you’re you; USB “keys” which store your digital passcodes for you; and a host of other methods. But for the most part, these all suck. Why? Because the fundamental flaw with them is that people have to use them and, ultimately, we undermine the security of every system we interact with just by being forgetful, loud mouthed, lazy jerks. We can’t remember secrets, and even when we do, we tend to blabber about them, or make them easier to get at than we should. We are so bad with secrets that it can actually impact our health negatively to keep them.
So there’s the rub: we need information systems because our own brains are inadequate to store all of the data we want to keep, and we need security systems to protect that data because our brains injure themselves in the process of keeping secrets. The cherry-on-top is that our brains are inadequate to properly use the systems we build to secure that data. What a nightmarish confluence of circumstances this can turn out to be for security professionals.
Perhaps the problem is that we secure only what we want to keep secret, and everything else is readily available. Perhaps if our approach was to secure everything, forever, we would stop focusing on ways to keep only specific things a secret. After all, it really complicates things to set a bunch of rules and methods up for securing all sorts of different things. Why not just secure it all? Done. But we still haven’t replaced passwords by decided that everything needs to be secured. Google has some ideas, some of which I mentioned above, but none of them are much more than a way to kick the password can down the road somehow. None of them are truly revolutionary.
It seems as though the real solution here is to be able to have a machine identify a human being as a true, living, breathing individual, with completely unique attributes. Earlier this year, CNBC reported on an effort underway by Intel to do just that: give a machine the senses it needs to “feel” who you are when you’re using it. No more typing credentials, no more stealing fingerprints, no more tricks. The computer would use dozens of parameters about the individual sitting in front of it to determine if their attempts to access something are legitimate, and it would do so with even more detail than an actual interaction between two human beings. Which is good, because that often doesn’t go well when it comes to security.
Our technology is getting better and better at solving problems by mimicking organic behaviors and processes. The irony (I think?) is that many of our biggest problems, replacing passwords included, could be solved if we worked harder at mimicking our technology.