The primary means of authentication on the Internet is the password—a half-century old, shared secret mechanism that is difficult to use (especially on mobile devices) and has acknowledged security flaws including attacks at scale. Even so, passwords remain the most prevalent form of authentication with efforts to enhance security typically relying on “bolt on” solutions that increase user friction.

Traditional wisdom holds that increased levels of security are proportional to increased complexity/difficulty. For example, a door with a lock is generally regarded as a more secure “barrier to entry” than one without. Two-factor authentication is regarded by some as superior to passwords alone. Both are more difficult to use yet may not provide enhanced security in practice.

In the physical world, if the door is most commonly used by individuals whose hands are full, a locked door becomes an unacceptable impediment and the door may be left unlocked. In the virtual world, two-factor options may be so expensive and/or difficult to use that the vast majority of users refuse to employ them. There are also compelling arguments and evidence that two-factor mechanisms offer little in the way of improved security over passwords alone.

Theory

The “holy grail” of authentication on the Internet is a mechanism that is both easy-to-use and secure. Passwords are neither and our “quest” requires that we abandon traditional thinking. Attempts to “improve passwords” are destined to fail. They are difficult to use, complex, and like any shared secret, a significant vulnerability. The costs associated with them as we move to the next billion users forces us to seek alternatives.

With improvements of late, biometric technology has the potential to offer us an alternative to passwords. Where passwords are complex and difficult to use, biometrics can be simple and easy. When properly deployed, biometric technology can also be secure, privacy respecting, and widely adopted. Improperly deployed, it can be no better than passwords, offer no protection against attacks at scale, present unacceptable risks to privacy, and consequently fail to be adopted.

Security practitioners are fortunate that Apple, with the introduction of TouchID, has assured consumer acceptance of a biometric device as an easy-to-use means of authentication. Competitors have followed suit adding biometric sensors enabling authentication via fingerprint and iris scan. More will follow and we can expect most end-user devices to come with a biometric sensor with new product introductions. They will also be easy-to-use, if they are to compete.

Security, privacy, and mitigation of attacks at scale must also be addressed if biometrics are to catalyze the paradigm shift away from passwords. Fortunately, it is possible to address each of these issues using well-known techniques. Asymmetric keys negate the vulnerabilities inherent in any shared secret scheme and can eliminate a significant source of attacks at scale. Local authentication, and retention of any biometric artifacts, ensures that no biometric information is ever “placed on the wire” or in the cloud. If the solution is to be used for more than one site, consideration must be given to mitigate or eliminate cross correlation.

Practice

The Fido Alliance, is dedicated to the replacement of passwords as the means of authentication for online services. Its members represent some of the most recognizable brand names on the Internet, and even more that are not. Together, they have developed principles, specifications, and guidelines for protocols that when coupled with biometric-enabled devices allow online service providers to replace passwords with easy-to-use, secure, and privacy respecting mechanisms for authenticating users. The specifications also require local authentication, no biometric data on the wire, no protocol artifacts that can be used for cross correlation, and asymmetric encryption.

Alliance members are fabricating sensors and components that comply with the specifications. Device manufacturers are offering handsets with these components.. Platform vendors are providing native support. An easy-to-use asymmetric key system has been developed. Relying parties are deploying.

AliPay, Bank of America, Dropbox, Google, Microsoft, NTT Docomo, and PayPal have deployed early versions. Samsung, LG, and Sharp are shipping handsets. Qualcomm is embedding support into chip sets. Intel has joined the effort. These individual efforts will ultimately result in a consistent, easy-to-use consumer experience.

Early adopters, will incur costs beyond those that follow. Increased engineering, development, and operational costs can be expected until a fully developed, mature, standardized, widely adopted experience is available. This transition from prototype to mature implementation will occur over the next several years as the protocol(s) mature and are sedimented into platforms. As that occurs, first-to-market advantage will belong to those with deployment experience and the ability to rapidly switch from password to password-less.

Upside

Passwords are a frequent target of phishing attacks. Password databases are similarly a loved target of the malevolent. Eliminating these targets enhances security and likely leads to reduced fraud. However, the real upside to eliminating passwords is capturing the next billion users. They will be less technologically savvy and more likely to adopt easy-to-use (even if not more secure) online services. Being positioned with an easy-to-use, secure, and privacy respecting authentication mechanism that satisfies the demands of existing customers and encourages new customer adoption without the inherent risks associated with passwords makes good business sense.

A standards-based approach for replacing passwords makes technological sense. Site- or platform-specific implementations are costly to develop, difficult to debug, expensive to deploy, and likely fail to provide a common user experience that is essential for ease-of-use. Business and technology leaders should recognize the opportunity before us. It’s a once-in-a-lifetime thing.

Replace passwords. Now.