How Google, Yahoo, Microsoft Are Killing The Password |

How Google, Yahoo, Microsoft Are Killing The Password

Passwords suck. Will biometrics, mobile apps, or user-pattern sensors take over?

How Google, Yahoo, Microsoft Are Killing The Password

Remember when one simple password aided all online transactions? Be it email, messenger or other websites that required one-time registration. Life was simpler then. And, then came this rigmarole of cyber security, encryption and other similar jargon that reminds us of Star Wars.

We’ve come a long (and painful) way from simple passwords that were usually variants of our names, to the security-obsessed present, when we use every character appearing across the computer keyboard. So can we hope for any respite from this mind-numbing password recollection exercise?

There are other ways, some of them used very effectively for ‘second-factor authentication’, which is an additional ‘prove your identity’ step beyond the password—and is now mandated by India’s banking laws for online transactions.

Do an online payment, and your bank usually sends an OTP, or one-time password, in an SMS. You enter that OTP. This proves your identity, because the mobile registered against your bank account has to be physically with you.

Mat Honan, the author at Wired who famously lost all his data in a 2012 hacking incident, is quick to remind us that passwords are as old as civilization, and people have been breaking them since. He narrates an incident from the Peloponnesian War of 413 BC where soldiers of the Syracusae army picked up the watchword of the Demosthenes’ army and turned the tables on the invaders.

Honan believes that the only way to enhance security is to open us up to the service providers. The only way forward is real identity verification: to allow our movements and metrics to be tracked in all sorts of ways and to have those movements and metrics tied to our actual identity,” he says. (Read more)

Microsoft founder Bill Gates believed a decade ago that his company had the answer. They worked with RSA (among the first practical public-key cryptosystems, still widely used for secure data transmission) to develop a SecureID system that generated a constantly changing sequence of numbers that had to be used alongside the traditional password or PIN.

However, the March 2011 admission by RSA that their two-pronged SecureID was susceptible to attacks removed the sheen off this system. Security experts raised concerns over the security of data within RSA and claimed that this information could be used to reduce the effectiveness of the existing system.

Microsoft now has facial and fingerprint recognition support within Windows 10. Known as Windows Hello, the system can work on Surface Pro 4, Surface Book and most PCs with fingerprint readers, and those that recognize your face and iris.

So, where does all this leave us today? Do we continue to trust our instinct that creates our passwords or rely on some algorithm to generate 256-character password? The latter would definitely make breaking into the security shield impossible for hackers. The problem is that the chances of the owners accessing their data would also become remote.

Toward end-2015, Yahoo announced that it intended to remove the passwords entirely and allow users to access their accounts via a mobile app. Cyber security experts are divided on the efficacy of the system, which allows access to mail by tapping a notification sent to the smart phone they want to login with. Opponents say this is another way of getting personal information.

And perhaps the most significantly (thanks to its sheer influence), Google announced, in early 2015, its plans to kill the password and turn the microSD card of the smartphone into a veritable Fort Knox.


What is Google trying to do? It attempts to use a combination of sensors that allows users to interact with the device and thus lead to authentication. It could be anything from your keyboard usage patterns, speech patterns or even the way you swipe on the touchpad or touch screen. So, there’s nothing extra that you have to remember to unlock your devices. (Read more)

The idea is currently work in progress in the Google Advanced Technologies and Projects Group, which hopes to deliver something that is 10 times more robust than all existing authentication methods. Of course, Google-haters crib that this is yet another way that the company is collecting user data.

Moreover, security experts have traditionally been wary of any form of biometrics, which they feel can be misused if stored in a giant database that could be open to hacking. However, the Biometrics Research Group at the Michigan University estimated the presence of over 650 million mobile devices that used fingerprint technology--pioneered by Apple in its iPhone 5S in 2013.

Into this already confusing picture has come another idea of using a combination of your favorite images, icons and other identifiable objects. The researchers at the University of Plymouth believe that instead of remembering a random collection of letters and numbers, users will find it easy to draw a pre-defined pattern, pick a favorite icon and use the combo to lock a smart phone.

The new system, called ‘GOTPass’, would be cheaper and more efficient to integrate into any ecosystem, says project leader Hussain Alsaiari, who admits there is still a lot of work to be done. “We managed to hack into our own system on 23 occasions in a total of 690 attempts,” he says, adding that if icons don’t work, he’s open to trying alternatives such as selfies, handshakes or text messages.

That’s quite a few teams across the world, working on ways to kill the password.  So will the ubiquitous password become history within this decade?  Here’s hoping.

Veteran journo Raj Narayan (@OnlineObelix) is Chief Content Officer at Trivone, publishers of TechTree.

Tags : Password, Security, Google, Yahoo, Microsoft, Apple, Gotpass