There is probably no single thing in Information Security that has been claimed being dead as frequent as the password. Unfortunately, it isn’t yet dead and far from dying. Far from it! The password will survive all of us.
That thesis seems standing in stark contrast to the rise of strong online identities. Also, weak online identities such as device IDs or the identifiers of things as an alternative to username and password will not make the password obsolete.
We all know that passwords aren’t really save. Weak passwords such as the one used by Mark Zuckerberg – it’s said being “Dadada” – are commonly used. Passwords either are complex and hard to keep in mind, or they are long and annoying to type, or they are short, easy to type, and weak.
However, what are the alternatives? We can use biometrics. But even with upcoming standards such as the FIDO Alliance standards, there still are many scenarios where biometrics do not work well, aside of the fact that most also aren’t perfectly save. Then there are these approaches where you have to pick known faces from a number of photos. Takes longer than typing in a password, thus it adds inconvenience.
Yes, we are becoming more flexible in choosing the authenticator which works best for us. Both in Enterprise IAM and Consumer IAM, adaptive authentication and the support of a broad variety of authenticators is on the rise. But even there, the password remains a simple and convenient option. Other options such as OTP hardware tokens (One Time Password) are not that convenient, they are expensive, logistics is complex and in case we lose a device or a token or whatever else, we still might come back to the password (or some password-like constructs such as security questions).
Using many weak authenticators also is an option. But again: What is our fallback in case that there aren’t sufficient authenticators available for a certain interaction or transaction? Not enough proof for the associated risk?
There is no doubt that we can construct scenarios where we do not need passwords at all. There is also no doubt that we will see more such scenarios in future. But we will not get fully rid of passwords. Starting with access to legacy systems that don’t support anything else than passwords (oh, and even if you put something in front, there then will be the username and password of the functional account); with the passwords used for identifying us when calling our mobile phone providers; with the passphrases and security questions; with all the websites and services that still don’t support anything else than passwords: There are too many scenarios where passwords will further exist. For many, many years.
We will observe an uptake of alternative, strong authenticators as well as the use of a combination of weak authenticators e.g. for continuous authentication. But we will not get rid of passwords. Not in one year, not in five years, not in ten years.
Hopefully, we will be able to use better approaches than username and passwords for all the websites we access and the services we use. Today, we are far from that. But even then, the username and password will be a supported approach in most scenarios, sometimes combined e.g. with an out-of-band OTP or whatever else. Why? Simply, because vendors rarely will lock out customers. When you raise the bar too high for strong authentication, this will cost you business. Username and password aren’t a good, secure approach. But we all are used to it, thus they aren’t an inhibitor.