Lost passwords, lost identity?

Yahoo's plans to do away with passwords highlights the pitfalls of weak authentication and the tech's surprising resilience

Password and username box

Inside the Enterprise: The search for a viable alternative to the humble password has kept IT experts busy for at least a decade.

Both in enterprises, and for companies providing services to the public over the internet, reliance on passwords is a source of concern. They are too easily guessed, hacked, and forgotten.

Yahoo is just the latest company to call time on the password. In the US, the firm is moving towards a system of one-time codes sent via SMS or text messages to users. Already used as an additional authentication step by banks, one-time codes fulfil one of the key tests of multi-factor authentication: something you have, something you know, and something you are.

Passwords are, of course, something we know. The problem is that they are all too easily forgotten. This prompts users to pick either simple passwords "Password" is a favourite - to write them down, or to use one password for multiple online services. Even worse, from an enterprise point of view, are users who reuse a corporate password on a home device, or vice versa.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

A one-time code, of the type being developed by Yahoo, replaces something you know by something you have. In fact, it works by requiring two things: the user needs to have both a device, in this case a phone, and the unique code.

Codes are usually only valid for a short period of time, and as the name suggests, can only be used once. But such systems are not flawless. A four-digit code, as Yahoo is suggesting, is not especially hard to crack.

Then there is the physical challenge of sending authentication codes to a mobile device. Phones can be lost, run out of power, or be in an area where there is no signal.

If a user cannot access their device, then the options are either to lock them out of the service, until they can receive an SMS, or fall back on a weaker system of authentication. Typically, that's a password and some basic information, such as the user's mother's maiden name.

None the less, companies are continuing to look at alternatives to passwords, if only to reduce the time and money spend on resetting lost, stolen, or forgotten IDs.

But some identity and privacy experts argue that it would be better if the industry came together and developed a common system, which consumers and businesses cold use for authentication across a range of services, rather than just one.

Advertisement - Article continues below

"It is not just Yahoo doing it, but passwords for them are a nightmare," said Paul Simmonds, CEO of the Global Identity Foundation. "The problem is they are putting in bespoke solutions. So we are moving to yet another bespoke solution. We need to a common solution everyone agrees on, rather than bespoke."

Those alternatives, though, have to appeal to users as well as to service operators.

"Alternatives have to be usable and desirable Robert Lapes, head of identity advisory services at CapGemini. "People must want to use it and be able to use it effectively. We have to work harder at making things easier."

And that will mean no more passwords on a sticky label under the keyboard, please.

Stephen Pritchard is a contributing editor at IT Pro.

Featured Resources

Digitally perfecting the supply chain

How new technologies are being leveraged to transform the manufacturing supply chain

Download now

Three keys to maximise application migration and modernisation success

Harness the benefits that modernised applications can offer

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

The 3 approaches of Breach and Attack Simulation technologies

A guide to the nuances of BAS, helping you stay one step ahead of cyber criminals

Download now
Advertisement

Recommended

Visit/security/29068/is-your-company-taking-enough-accountability-on-cybersecurity
Security

Are you taking enough accountability on cyber security?

18 Dec 2019
Visit/security/29204/how-can-you-protect-your-business-from-crypto-ransomware
Security

How can you protect your business from crypto-ransomware?

4 Nov 2019
Visit/back-up/29084/how-to-enhance-your-backup-strategy
backup

How to enhance your backup strategy

10 Oct 2019
Visit/data-loss-prevention/28864/data-recovery-why-is-it-so-important
data recovery

Data recovery: Why is it so important?

9 Oct 2019

Most Popular

Visit/operating-systems/25802/17-windows-10-problems-and-how-to-fix-them
operating systems

17 Windows 10 problems - and how to fix them

13 Jan 2020
Visit/microsoft-windows/32066/what-to-do-if-youre-still-running-windows-7
Microsoft Windows

What to do if you're still running Windows 7

14 Jan 2020
Visit/policy-legislation/general-data-protection-regulation-gdpr/354577/data-protection-fines-hit-ps100m
General Data Protection Regulation (GDPR)

Data protection fines hit £100m during first 18 months of GDPR

20 Jan 2020
Visit/web-browser/30394/what-is-http-error-503-and-how-do-you-fix-it
web browser

What is HTTP error 503 and how do you fix it?

7 Jan 2020