Lost passwords, lost identity?

Yahoo's plans to do away with passwords highlights the pitfalls of weak authentication and the tech's surprising resilience

Password and username box

Inside the Enterprise: The search for a viable alternative to the humble password has kept IT experts busy for at least a decade.

Both in enterprises, and for companies providing services to the public over the internet, reliance on passwords is a source of concern. They are too easily guessed, hacked, and forgotten.

Advertisement - Article continues below

Yahoo is just the latest company to call time on the password. In the US, the firm is moving towards a system of one-time codes sent via SMS or text messages to users. Already used as an additional authentication step by banks, one-time codes fulfil one of the key tests of multi-factor authentication: something you have, something you know, and something you are.

Passwords are, of course, something we know. The problem is that they are all too easily forgotten. This prompts users to pick either simple passwords "Password" is a favourite - to write them down, or to use one password for multiple online services. Even worse, from an enterprise point of view, are users who reuse a corporate password on a home device, or vice versa.

A one-time code, of the type being developed by Yahoo, replaces something you know by something you have. In fact, it works by requiring two things: the user needs to have both a device, in this case a phone, and the unique code.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

Codes are usually only valid for a short period of time, and as the name suggests, can only be used once. But such systems are not flawless. A four-digit code, as Yahoo is suggesting, is not especially hard to crack.

Then there is the physical challenge of sending authentication codes to a mobile device. Phones can be lost, run out of power, or be in an area where there is no signal.

If a user cannot access their device, then the options are either to lock them out of the service, until they can receive an SMS, or fall back on a weaker system of authentication. Typically, that's a password and some basic information, such as the user's mother's maiden name.

None the less, companies are continuing to look at alternatives to passwords, if only to reduce the time and money spend on resetting lost, stolen, or forgotten IDs.

But some identity and privacy experts argue that it would be better if the industry came together and developed a common system, which consumers and businesses cold use for authentication across a range of services, rather than just one.

Advertisement - Article continues below

"It is not just Yahoo doing it, but passwords for them are a nightmare," said Paul Simmonds, CEO of the Global Identity Foundation. "The problem is they are putting in bespoke solutions. So we are moving to yet another bespoke solution. We need to a common solution everyone agrees on, rather than bespoke."

Those alternatives, though, have to appeal to users as well as to service operators.

"Alternatives have to be usable and desirable Robert Lapes, head of identity advisory services at CapGemini. "People must want to use it and be able to use it effectively. We have to work harder at making things easier."

And that will mean no more passwords on a sticky label under the keyboard, please.

Stephen Pritchard is a contributing editor at IT Pro.

Featured Resources

Preparing for long-term remote working after COVID-19

Learn how to safely and securely enable your remote workforce

Download now

Cloud vs on-premise storage: What’s right for you?

Key considerations driving document storage decisions for businesses

Download now

Staying ahead of the game in the world of data

Create successful marketing campaigns by understanding your customers better

Download now

Transforming productivity

Solutions that facilitate work at full speed

Download now
Advertisement
Advertisement

Recommended

Visit/security/cyber-security/356147/businesses-could-ditch-passwords-for-new-cryptographic-key-system
cyber security

Businesses could ditch passwords for new cryptographic key system

19 Jun 2020
Visit/back-up/29084/how-to-enhance-your-backup-strategy
backup

How to enhance your backup strategy

27 Feb 2020
Visit/security/29068/is-your-company-taking-enough-accountability-on-cybersecurity
Security

Are you taking enough accountability on cyber security?

18 Dec 2019
Visit/security/29204/how-can-you-protect-your-business-from-crypto-ransomware
Security

How can you protect your business from crypto-ransomware?

4 Nov 2019

Most Popular

Visit/laptops/29190/how-to-find-ram-speed-size-and-type
Laptops

How to find RAM speed, size and type

24 Jun 2020
Visit/cloud/356260/the-road-to-recovery
Sponsored

The road to recovery

30 Jun 2020
Visit/business-strategy/it-infrastructure/356258/the-growing-case-for-it-flexibility
Sponsored

The growing case for IT flexibility

30 Jun 2020