Hate Passwords, Love Password-less

At San Digital we try to help our clients chose the most appropriate technology. Ideally, using ready-made commodity components. Authentication is an excellent case in point.

Passwords are a pain

Dealing with passwords is at best an inconvenience at worst it can be a substantial security issue. A single password that is used frequently is less of a problem, as we are at least likely to remember it. However, large numbers of infrequently used passwords cause the largest problem, especially with the temptation to reuse passwords. It’s not what Fernando Corbató, the accidental originator of the password, ever intended.

Password1234

In one analysis on 275m passwords in a database, only 44% were unique. While the top 200 featured evergreen examples like 123456 and 123456789, and various combinations of password, qwerty, abc123, and iloveyou.

Bill Gates said, “Passwords just don’t meet the challenge for anything you really want to secure”. That was in 2004. The US National Institute of Standards and Technology has tried to address this in 2003, advising random characters, substituting numbers for characters, and advising system admins to regularly force change people’s passwords. It was disastrous advice.

It made passwords harder for people to use, who naturally therefore used workarounds to help them remember the ever changing passwords, making passwords ultimately less secure. Plus increasing the number of forgotten password requests (which is another source of password vulnerability).

Closing the stable door?

It’s become a total mess. Password managers can help with stronger passwords stored securely. But most people don’t use them. Pass-phrases instead of passwords would be better, but they’ve never really taken off.

Password-less is the answer

We don’t have to do any of this password mess anymore: Password-less authentication is here and is much easier and much more secure.

We’ve made a video to demonstrate so simple password-less solutions you could implement very quickly (and also vent our frustrations with passwords).

Technically clever, human simple

Password-less authentication sends a short-lived token either via an email or SMS, the user types in the token to be authenticated. No password required.

In a situation where a customer is accessing a service infrequently, password-less solutions are much simpler. Especially as the user’s identity is frequently linked to a trusted communication channel.

Mobile app clients

Password-less can also work nicely for mobile applications, the token sent to the user allows that app to request an access token and a refresh token, meaning that the user can remain authenticated for a longer period.

Conclusion

It is simpler, easier, more secure and all round better to use password-less solutions, like the straightforward but highly secure ones we have developed that can be implemented quickly for you.