When Passwords Are a Touchy SubjectBy Samuel Greengard
For years, we've been mired in password hell. It's simply impossible to create distinct passwords for every account—as security experts recommend—and remember all of them. As a result, many consumers and employees create really bad passwords that are easily hacked, or use a single password that potentially delivers the keys to the entire kingdom.
It's a nightmare for consumers as well as CIOs, CSOs and CISOs.
Along the way, there's been almost endless discussion about biometrics and more advanced solutions. Yet, despite all the hype and the acknowledged potential of biometrics technologies, they have been relegated mostly to niche uses. Unfortunately, there is no way to use an actual biometric authentication method across Websites, apps or services.
However, the landscape may be changing –and from a most unexpected source. When Apple introduced Touch ID in 2013, it was viewed as a way to unlock an iPhone and use Apple Pay. But it's now becoming clear that the built-in security—and ability to generate disposable virtualized tokens—has far deeper ramifications.
For example, Bank of America recently announced that it is introducing Touch ID and Apple Pay to authenticate users at ATMs. Instead of punching in a PIN at a terminal, customers can use their iPhone, Apple Pay and fingerprint to withdraw money and handle other tasks. Wells Fargo and Chase are reportedly following suit.
Meanwhile, Apple recently announced that it will allow Touch ID and Apple Pay to work with Mac computers to authenticate and automate purchases via an adjacent iPhone or Apple Watch. This eliminates the need to manually enter credit card details. A purchase is reduced to a single-step process controlled by a fingerprint.
Yet, smartphones and biometrics represent something else: a highly secure way to authenticate and log into a site or system without the use of a password. This approach could potentially be used across the Web as well as for consumers and enterprise employees connecting to Macs or PCs. It could ultimately reduce, if not eliminate, the need for passwords as well as more complex two-factor authentication methods.
Of course, any change to the status quo will come slowly and incrementally. Yet, whether it's Apple, Google, Microsoft, various security vendors or others—or some combination of the above—let's hope that someone puts 2+2 together to come up with a better system. Mobile device authentication may be just the ticket.