Lost passwords, lost identity?

Yahoo's plans to do away with passwords highlights the pitfalls of weak authentication and the tech's surprising resilience

Password and username box

Inside the Enterprise: The search for a viable alternative to the humble password has kept IT experts busy for at least a decade.

Both in enterprises, and for companies providing services to the public over the internet, reliance on passwords is a source of concern. They are too easily guessed, hacked, and forgotten.

Yahoo is just the latest company to call time on the password. In the US, the firm is moving towards a system of one-time codes sent via SMS or text messages to users. Already used as an additional authentication step by banks, one-time codes fulfil one of the key tests of multi-factor authentication: something you have, something you know, and something you are.

Passwords are, of course, something we know. The problem is that they are all too easily forgotten. This prompts users to pick either simple passwords "Password" is a favourite - to write them down, or to use one password for multiple online services. Even worse, from an enterprise point of view, are users who reuse a corporate password on a home device, or vice versa.

A one-time code, of the type being developed by Yahoo, replaces something you know by something you have. In fact, it works by requiring two things: the user needs to have both a device, in this case a phone, and the unique code.

Codes are usually only valid for a short period of time, and as the name suggests, can only be used once. But such systems are not flawless. A four-digit code, as Yahoo is suggesting, is not especially hard to crack.

Then there is the physical challenge of sending authentication codes to a mobile device. Phones can be lost, run out of power, or be in an area where there is no signal.

If a user cannot access their device, then the options are either to lock them out of the service, until they can receive an SMS, or fall back on a weaker system of authentication. Typically, that's a password and some basic information, such as the user's mother's maiden name.

None the less, companies are continuing to look at alternatives to passwords, if only to reduce the time and money spend on resetting lost, stolen, or forgotten IDs.

But some identity and privacy experts argue that it would be better if the industry came together and developed a common system, which consumers and businesses cold use for authentication across a range of services, rather than just one.

"It is not just Yahoo doing it, but passwords for them are a nightmare," said Paul Simmonds, CEO of the Global Identity Foundation. "The problem is they are putting in bespoke solutions. So we are moving to yet another bespoke solution. We need to a common solution everyone agrees on, rather than bespoke."

Those alternatives, though, have to appeal to users as well as to service operators.

"Alternatives have to be usable and desirable Robert Lapes, head of identity advisory services at CapGemini. "People must want to use it and be able to use it effectively. We have to work harder at making things easier."

And that will mean no more passwords on a sticky label under the keyboard, please.

Stephen Pritchard is a contributing editor at IT Pro.

Featured Resources

Preparing for AI-enabled cyber attacks

MIT technology review insights

Download now

Cloud storage performance analysis

Storage performance and value of the IONOS cloud Compute Engine

Download now

The Forrester Wave: Top security analytics platforms

The 11 providers that matter most and how they stack up

Download now

Harness data to reinvent your organisation

Build a data strategy for the next wave of cloud innovation

Download now

Recommended

1Password Business review: First choice for business travel and guest accounts
Security

1Password Business review: First choice for business travel and guest accounts

16 Jul 2021
Keeper Security review: Keeps corporate password management simple
Software

Keeper Security review: Keeps corporate password management simple

9 Jul 2021
Dashlane review: A very web-focused password manager
Security

Dashlane review: A very web-focused password manager

2 Jul 2021
LastPass review: Great to administrate, a little clunky to use
Software

LastPass review: Great to administrate, a little clunky to use

25 Jun 2021

Most Popular

Samsung Galaxy S21 5G review: A rose-tinted experience
Mobile Phones

Samsung Galaxy S21 5G review: A rose-tinted experience

14 Jul 2021
RMIT to be first Australian university to implement AWS supercomputing facility
high-performance computing (HPC)

RMIT to be first Australian university to implement AWS supercomputing facility

28 Jul 2021
Zyxel USG Flex 200 review: A timely and effective solution
Security

Zyxel USG Flex 200 review: A timely and effective solution

28 Jul 2021