Home / Blogs

Whither Passwords

Bill Smith

The primary means of authentication on the Internet is the password — a half-century old, shared secret mechanism that is difficult to use (especially on mobile devices) and has acknowledged security flaws including attacks at scale. Even so, passwords remain the most prevalent form of authentication with efforts to enhance security typically relying on "bolt on" solutions that increase user friction.

Traditional wisdom holds that increased levels of security are proportional to increased complexity/difficulty. For example, a door with a lock is generally regarded as a more secure "barrier to entry" than one without. Two-factor authentication is regarded by some as superior to passwords alone. Both are more difficult to use yet may not provide enhanced security in practice.

In the physical world, if the door is most commonly used by individuals whose hands are full, a locked door becomes an unacceptable impediment and the door may be left unlocked. In the virtual world, two-factor options may be so expensive and/or difficult to use that the vast majority of users refuse to employ them. There are also compelling arguments and evidence that two-factor mechanisms offer little in the way of improved security over passwords alone.


The "holy grail" of authentication on the Internet is a mechanism that is both easy-to-use and secure. Passwords are neither and our "quest" requires that we abandon traditional thinking. Attempts to "improve passwords" are destined to fail. They are difficult to use, complex, and like any shared secret, a significant vulnerability. The costs associated with them as we move to the next billion users forces us to seek alternatives.

With improvements of late, biometric technology has the potential to offer us an alternative to passwords. Where passwords are complex and difficult to use, biometrics can be simple and easy. When properly deployed, biometric technology can also be secure, privacy respecting, and widely adopted. Improperly deployed, it can be no better than passwords, offer no protection against attacks at scale, present unacceptable risks to privacy, and consequently fail to be adopted.

Security practitioners are fortunate that Apple, with the introduction of TouchID, has assured consumer acceptance of a biometric device as an easy-to-use means of authentication. Competitors have followed suit adding biometric sensors enabling authentication via fingerprint and iris scan. More will follow and we can expect most end-user devices to come with a biometric sensor with new product introductions. They will also be easy-to-use, if they are to compete.

Security, privacy, and mitigation of attacks at scale must also be addressed if biometrics are to catalyze the paradigm shift away from passwords. Fortunately, it is possible to address each of these issues using well-known techniques. Asymmetric keys negate the vulnerabilities inherent in any shared secret scheme and can eliminate a significant source of attacks at scale. Local authentication, and retention of any biometric artifacts, ensures that no biometric information is ever "placed on the wire" or in the cloud. If the solution is to be used for more than one site, consideration must be given to mitigate or eliminate cross correlation.


The Fido Alliance, is dedicated to the replacement of passwords as the means of authentication for online services. Its members represent some of the most recognizable brand names on the Internet, and even more that are not. Together, they have developed principles, specifications, and guidelines for protocols that when coupled with biometric-enabled devices allow online service providers to replace passwords with easy-to-use, secure, and privacy respecting mechanisms for authenticating users. The specifications also require local authentication, no biometric data on the wire, no protocol artifacts that can be used for cross correlation, and asymmetric encryption.

Alliance members are fabricating sensors and components that comply with the specifications. Device manufacturers are offering handsets with these components.. Platform vendors are providing native support. An easy-to-use asymmetric key system has been developed. Relying parties are deploying.

AliPay, Bank of America, Dropbox, Google, Microsoft, NTT Docomo, and PayPal have deployed early versions. Samsung, LG, and Sharp are shipping handsets. Qualcomm is embedding support into chip sets. Intel has joined the effort. These individual efforts will ultimately result in a consistent, easy-to-use consumer experience.

Early adopters, will incur costs beyond those that follow. Increased engineering, development, and operational costs can be expected until a fully developed, mature, standardized, widely adopted experience is available. This transition from prototype to mature implementation will occur over the next several years as the protocol(s) mature and are sedimented into platforms. As that occurs, first-to-market advantage will belong to those with deployment experience and the ability to rapidly switch from password to password-less.


Passwords are a frequent target of phishing attacks. Password databases are similarly a loved target of the malevolent. Eliminating these targets enhances security and likely leads to reduced fraud. However, the real upside to eliminating passwords is capturing the next billion users. They will be less technologically savvy and more likely to adopt easy-to-use (even if not more secure) online services. Being positioned with an easy-to-use, secure, and privacy respecting authentication mechanism that satisfies the demands of existing customers and encourages new customer adoption without the inherent risks associated with passwords makes good business sense.

A standards-based approach for replacing passwords makes technological sense. Site- or platform-specific implementations are costly to develop, difficult to debug, expensive to deploy, and likely fail to provide a common user experience that is essential for ease-of-use. Business and technology leaders should recognize the opportunity before us. It's a once-in-a-lifetime thing.

Replace passwords. Now.

By Bill Smith, Sr. Policy Advisor, Technology Evangelist at PayPal. (Disclaimer: While I am a PayPal employee, the opinions expressed here are my own.)

Related topics: Cybercrime, Cybersecurity, Policy & Regulation


Don't miss a thing – get the Weekly Wrap delivered to your inbox.


To post comments, please login or create an account.

Related Blogs

Related News

Explore Topics

Dig Deeper

Mobile Internet

Sponsored by Afilias Mobile & Web Services


Sponsored by Verisign

IP Addressing

Sponsored by Avenue4 LLC

DNS Security

Sponsored by Afilias

Promoted Posts

Buying or Selling IPv4 Addresses?

Watch this video to discover how ACCELR/8, a transformative trading platform developed by industry veterans Marc Lindsey and Janine Goodman, enables organizations to buy or sell IPv4 blocks as small as /20s. more»

Industry Updates – Sponsored Posts

Join Neustar's Town Hall Meeting and Help Shape the Future Of .US

Verisign Named to the Online Trust Alliance's 2017 Audit and Honor Roll

Attacks Decrease by 23 Precent in 1st Quarter While Peak Attack Sizes Increase: DDoS Trends Report

Leading Internet Associations Strengthen Cooperation

i2Coalition to Present Tucows CEO Elliot Noss With Internet Community Leadership Award

Verisign Releases Q4 2016 DDoS Trends Report: 167% Increase in Average Peak Attack from 2015 to 2016

Michele Neylon Appointed Chair Elect of i2Coalition

Verisign Q3 2016 DDoS Trends Report: User Datagram Protocol (UDP) Flood Attacks Continue to Dominate

2016 U.S. Election: An Internet Forecast

Government Guidance for Email Authentication Has Arrived in USA and UK

ValiMail Raises $12M for Its Email Authentication Service

MarkMonitor Supports Brand Holders' Efforts Regarding .Feedback Registry

Don't Gamble With Your DNS

Defending Against Layer 7 DDoS Attacks

Understanding the Risks of the Dark Web

New TLD? Make Sure It's Secure

Verisign Releases Q2 2016 DDoS Trends Report - Layer 7 DDoS Attacks a Growing Trend

How Savvy DDoS Attackers Are Using DNSSEC Against Us

Facilitating a Trusted Web Space for Financial Service Professionals

MarkMonitor Partners with CYREN to Deepen Visibility into Global Phishing Attacks