inWebo Blog: Exploring Authentication, Identity, Privacy, and Security

Of Passwords, 2-Factor, and Biometry

Posted by | inWebo Blog: Exploring Authentication, Identity, Privacy, and Security | No Comments

The end of passwords – coming up soon!

Passwords are prehistory. Passwords are dead. We’re going to end passwords. Sounds familiar? Google probably has millions of results for each of these searches. Yet, for as long as I can remember – since the emergence of the World Wide Web at least – passwords have been fingerpointed as the flaw in this otherwise amazingly well engineered system. We’ve also been presented with the solutions to the problem. We love good stories and the tech world is full of them. So, when we hear about a new shiny and ingenious thing being invented to end passwords, or that the big guys in the Valley or elsewhere have teamed up on a password killing mission, well, we believe it’s only a matter of weeks or months before this cruisade is over and we go back to more serious business.

350 passwords – and counting

However, passwords still stick around. I have 350 of them in the password manager I signed up for 2 years ago ( And counting. The cruisade isn’t over. In fact, the enemy has barely been scratched by all the maneuvers launched against him in the 10+ last years. On the contrary, his influence is still growing. Amazing scientific and engineering prowess has taken place in all areas in the same 10 last years, yet we haven’t succeeded in replacing passwords as the main and almost exclusive form of authentication in use. What did we (as an industry) do wrong?

Conflicting views on passwords replacement candidates

Passwords are not a stand-alone part that can be replaced, they are a system, even a 2-sided one: the users signing in on one side, the websites and applications authenticating users on the other side. Both sides have conflicting views about authentication goals. Users suffer from password intoxication (too many of them) and hate complex login processes. Sites want a self-centric and ‘secure’ (italic) authentication. Password replacement candidates favored by websites only make things worse for users since they add usually not convenient authentication method to the existing ones. Password replacement candidates favored by users – if there’s such a thing! – are rightfully dismissed for risk and security reasons by IT professionals.

Passwords were there first so it’s only getting harder displace them. It seems that we’re with them for good.