Is it time the password had a makeover?

Hands up everyone who still thinks vulnerable items like passwords and PINs, combined with other personal data, are fit for purpose for proving who we are in the digital age?

Are we fearful that in this time of seemingly non-stop data-breaches, passwords, PINs and the like all turn us all into sitting ducks?

While we’re about it – do we need something better to prove who we are as we go about our daily business? Imagine you’re travelling and everything on you is stolen including phone, documentation etc, and you must prove who you are to a call centre to get help. Are you happy to be quizzed on clunky things like last transactions, big data (which fridge you bought five years ago) or pre-set questions which may have faded into memory’s dark recesses?

Or is it time the ways in which we’re expected to identify ourselves were given a makeover – levelling the playing field and giving us back control?

Viruses or hardware can record everything we type, rendering passwords ineffective as a security tool. By the same token, longer and more complex passwords or even ‘pass-phrases’ no longer pass muster. It’s as though our needs for privacy and control have been totally ignored for the past several years. But we have no other option. We’re forced to go on using passwords.

Did the tech giants simply forget to come up with a way out of the identity proofing mess we’ve found ourselves in?

I believe the world could be a much safer place if we could prove we’re the ‘right’ users of hardware or software without resorting to the use of vulnerable personal data.

I’m convinced there’s a way round all this and feel sure that with a bit of fresh thinking, we can come up with something not unlike the old Swiss banking system, where - using a series of one-time numbers delivered to users without additional devices - individuals can prove they’re the authorised owners of accounts, without exposing personal data.

OK, I realise at this point some may be thinking - what about ‘two-factor’ or biometrics? Aren’t those supposed to be better than passwords?

Apart from the lack of convenience (you can’t log in if your key-fob isn’t with you, or your phone has gone AWOL, if it has no juice left or has no signal) two-factor is flawed in several more ways. Possession-based authentication was never a great idea. It’s too easy for someone to steal your fob or phone. And in the case of phones, a criminal can, without too much difficulty, take over your number (which is why certain US security agencies no longer support SMS-based two-factor. Sorry Google, FIDO etc.).

Biometrics also have major flaws. For those unfamiliar with the term, biometrics are body characteristics used to authenticate us. The problem is they can’t be changed. The dichotomy here is that this is both a strength and a fatal weakness. What happens if your biometric data gets stolen or copied? (This happened in the US in 2015 when some five million Federal employees’ data went missing, with biometric information attached in many instances.) Can hackers use such data to impersonate us? We don’t really know. But once they’ve stolen it, they certainly won’t delete it; they’ll hang onto the data until it can be used against the individuals concerned.

Another way of looking at biometrics is that you have just one face, one voice, one DNA, two irises and 10 fingers. If you count your fingers as a single item, that amounts to just six steal-able factors, which isn’t many considering none of them can be replaced or re-set. There’s also the problem of needing to have a reader ‘on hand’ (literally!) every time, and then the thorny issue of civil liberties and consent.

I hate to be the bearer of bad news, but for those convinced their iPhone and thumb will serve as an authentication tool for life, how will they feel once their thumbprint has ‘gone’ (say in a data breach at work) and they are then told by their bank, HMRC etc that this particular appendage can never be used again? Will such individuals become second-class citizens, condemned to join the longer ‘non biometric’ queues at airports or stations?

Apologies to anyone who’s invested time and money developing amazing biometric solutions (ear canal echoes being just one example) but due to the problems listed above, I give the whole sector no more than 10 years to live.

So, is there a better answer? Will something new give us the solution to what is arguably in the digital age, one of the world’s greatest problem areas – extending as it does into crime and even international cyber warfare?

I have an idea which I and a colleague have been working on for some time. We’re keen to discuss it with other Fellows. You may already have looked us up and have an inkling of what I’m talking about, but that’s OK.

We’re looking for people to have a play with our system, or even start using it for real. We have a version ready to install (via an API) with an industry-standard identity and access management (IaM) package, which can act as a ‘wrapper’ round any currently password-protected legacy system.

And visionaries amongst you might even begin dreaming of the implications for technologies like blockchain or IoT.