IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Lost passwords, lost identity?

Yahoo's plans to do away with passwords highlights the pitfalls of weak authentication and the tech's surprising resilience

Password and username box

Inside the Enterprise: The search for a viable alternative to the humble password has kept IT experts busy for at least a decade.

Both in enterprises, and for companies providing services to the public over the internet, reliance on passwords is a source of concern. They are too easily guessed, hacked, and forgotten.

Yahoo is just the latest company to call time on the password. In the US, the firm is moving towards a system of one-time codes sent via SMS or text messages to users. Already used as an additional authentication step by banks, one-time codes fulfil one of the key tests of multi-factor authentication: something you have, something you know, and something you are.

Passwords are, of course, something we know. The problem is that they are all too easily forgotten. This prompts users to pick either simple passwords "Password" is a favourite - to write them down, or to use one password for multiple online services. Even worse, from an enterprise point of view, are users who reuse a corporate password on a home device, or vice versa.

A one-time code, of the type being developed by Yahoo, replaces something you know by something you have. In fact, it works by requiring two things: the user needs to have both a device, in this case a phone, and the unique code.

Codes are usually only valid for a short period of time, and as the name suggests, can only be used once. But such systems are not flawless. A four-digit code, as Yahoo is suggesting, is not especially hard to crack.

Then there is the physical challenge of sending authentication codes to a mobile device. Phones can be lost, run out of power, or be in an area where there is no signal.

If a user cannot access their device, then the options are either to lock them out of the service, until they can receive an SMS, or fall back on a weaker system of authentication. Typically, that's a password and some basic information, such as the user's mother's maiden name.

None the less, companies are continuing to look at alternatives to passwords, if only to reduce the time and money spend on resetting lost, stolen, or forgotten IDs.

But some identity and privacy experts argue that it would be better if the industry came together and developed a common system, which consumers and businesses cold use for authentication across a range of services, rather than just one.

"It is not just Yahoo doing it, but passwords for them are a nightmare," said Paul Simmonds, CEO of the Global Identity Foundation. "The problem is they are putting in bespoke solutions. So we are moving to yet another bespoke solution. We need to a common solution everyone agrees on, rather than bespoke."

Those alternatives, though, have to appeal to users as well as to service operators.

"Alternatives have to be usable and desirable Robert Lapes, head of identity advisory services at CapGemini. "People must want to use it and be able to use it effectively. We have to work harder at making things easier."

And that will mean no more passwords on a sticky label under the keyboard, please.

Stephen Pritchard is a contributing editor at IT Pro.

Featured Resources

Accelerating AI modernisation with data infrastructure

Generate business value from your AI initiatives

Free Download

Recommendations for managing AI risks

Integrate your external AI tool findings into your broader security programs

Free Download

Modernise your legacy databases in the cloud

An introduction to cloud databases

Free Download

Powering through to innovation

IT agility drive digital transformation

Free Download

Recommended

Apple, Google, Microsoft expand their support for password-less sign-ins
cyber security

Apple, Google, Microsoft expand their support for password-less sign-ins

6 May 2022
NordPass teams up with insurance provider Cowbell Cyber to improve security awareness
cyber security

NordPass teams up with insurance provider Cowbell Cyber to improve security awareness

18 Feb 2022
NCA donates 225 million passwords to Have I Been Pwned
cyber security

NCA donates 225 million passwords to Have I Been Pwned

21 Dec 2021
Top 200 most common passwords of 2021 revealed
cyber security

Top 200 most common passwords of 2021 revealed

10 Dec 2021

Most Popular

LockBit 2.0 ransomware disguised as PDFs distributed in email attacks
Security

LockBit 2.0 ransomware disguised as PDFs distributed in email attacks

27 Jun 2022
Open source giant Red Hat joins HPE GreenLake ecosystem
automation

Open source giant Red Hat joins HPE GreenLake ecosystem

28 Jun 2022
Carnival hit with $5 million fine over cyber security violations
cyber security

Carnival hit with $5 million fine over cyber security violations

27 Jun 2022