Modern field guide to security and privacy

Opinion: How we can finally kill the password

Innovative biometric technology that relies on human traits as security measures is the answer to beating back threats from malicious hackers.


Michaela Rehle/Reuters

We're reaching the end of the password era – and it can't come soon enough.

If you need more evidence that the credentials we use to log into accounts are among the greatest cybersecurity weaknesses, the 2016 Verizon Data Breach Investigations Report noted that 63 percent of confirmed data breaches involved “leveraging weak/default/stolen passwords.” 

Even after years of education and awareness, people still use “123456” as their passwords (often across multiple devices and websites), share passwords with friends, or leave devices unprotected altogether.

While it’s easy to blame users for being lazy or blasé when it comes to securing passwords, the reality is that the deck is stacked against us. The problem is not that consumers do not know that they should use strong and unique passwords; it’s that it’s really hard to remember long strings of numbers and letters. It’s particularly difficult when asked to remember multiple passwords across all of our various accounts.

In many ways, our reliance on passwords turns human nature into a security vulnerability. But there's a way of using human nature to our advantage, too.

The theory of passwords is that users create a secret string of letters, numbers, and symbols that validates their identity. Ultimately, it's used to establish trust between a user and a network. When approached from this perspective, it opens the door to other ways to authenticate users. 

Fortunately, the tech industry is rapidly innovating on that front. It's looking for ways of using human behavior and characteristics – how we speak, our location, the way we type, our walking patterns, or facial features – to authorize users and ultimately create a safer and more secure internet.   

These changes won't replace the static password overnight. But some of this is already in use. Credit card companies and banks, for instance, are monitoring users' patterns to seek out potential fraud. That's why a transaction in Florida by a customer from Kansas raises suspicions and could trigger an account freeze. 

Similarly, social media companies often ask users to verify their location when they detect someone is logging in from an unknown location or on a different device. 

But the tech industry needs to do more to ensure biometric technology can effectively make us more secure. One solution is to take advantage of the technologies on our smartphones to improve authentication.

For example, the financial giant USAA recently announced an authentication scheme that uses facial recognition via the camera in a smartphone with an added twist. The app looks to see if you actually blink to make sure you're human before it grants access.

While passwords can be stolen, mimicking facial expressions – or so-called liveness detection – is a much tougher challenge. And the task for malicious hackers gets even tougher when you combine live facial recognition with other traits such as typing patterns or speech patterns.

Google is currently working on security technology that aims to combine that kind of multifactor authentication when granting users access to apps. Hopefully, other tech companies will follow their lead. It already seems like there's an appetite for it. Nearly half of millennial respondents polled already use biometric authentication in some fashion.

My guess is that few people would mourn the passing of the password. Another recent poll found up to 52 percent of people would prefer something other than passwords to access an account. In addition to being an imperfect and flawed system, remembering passwords has become a burden of the Digital Age.

So, let's work together to make passwords obsolete by embracing innovative techniques that increase our security. The future of cybersecurity doesn't need to be some deep dark secret code; it could simply be you.

Michael Kaiser is the executive director of the National Cyber Security Alliance. Follow him on Twitter @MKaiserNCSA.


You've read  of  free articles. Subscribe to continue.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to