In a tell-tale sign that passwords had had their day in the sun, PayPal CISO Michael Barrett took the stage at Interpo today to spell doom for existing verification methods, predicting that more robust authentication protocols based on an open standard will replace passwords. While two-step verification can bolster account security – Apple recently enabled it for Apple ID accounts – PayPal alludes that secure authentication technologies said to make their way into Apple’s next iPhone may announce the impending end of passwords…
“Passwords are starting to fail us,” he said, according to MacWorld UK.
Indeed they are.
Passwords are running out of steam as an authentication solution. They’re starting to impede the development of the Internet itself. It’s pretty clear that we can’t fix it with a proprietary approach.
Coincidentally, Wired recently ran an in-depth piece that explains vividly why a string of characters can’t protect us anymore.
Just a simple string of characters – maybe six of them if you’re careless, 16 if you’re cautious – that can reveal everything about you.
Your email. Your bank account. Your address and credit card number. Photos of your kids or, worse, of yourself, naked. The precise location where you’re sitting right now as you read these words.
Barrett shares a similar sentiment.
Users will pick poor passwords and then they’ll reuse them everywhere. That has the effect of reducing the security of their most secure account to the security of the least secure place they visit on the Internet.
A little backgrounder: Barret is the president of the Fast Identity Online Alliance (FIDO), an organization that wants to replace the password with a more convenient standards-based open protocol.
The FIDO Alliance protocol allows users a choice of authentication method while shifting control to providers who can make authentication user-transparent and limit the risk of fraud. Essentially, FIDO combines hardware, software and Internet services.
A FIDO user will use a FIDO Authenticator or token that they’ve chosen or that’s incorporated in their device; it could be a built-in fingerprint scanner, a USB memory drive with a password, a voice reader or something else.
“Starting this year you will see FIDO-enabled devices appearing in the market,” he proclaimed.
But what’s that got to do with Apple, you ask…
Barret alluded that Apple’s next iPhone may be the first consumer device to adopt FIDO’s proposed solution, based on the rumored fingerprint sensor inclusion on the iPhone 5S.
It’s widely rumored that a large technology provider in Cupertino, Calif., will come out with a phone later this year that has a fingerprint reader on it. There is going to be a fingerprint enabled phone on the market later this year. Not just one, multiple.
Analysts have long insisted that the next iPhone will include fingerprint sensor. Morgan Stanley calls it a killer feature and other watchers believe it could be a world-changing moment because it takes a company of Apple’s size to mainstream the tech.
Unfortunately, it seems that Apple’s rumored effort to integrate fingerprint sensor underneath the Home button – as opposed to embedding it on the device as a separate button – has now created “technical challenges,” leading one analyst to speculate that the next iPhone could be pushed back until Fall.
Reuters agrees, quoting a supply chin source as saying last month that Apple was trying to find a “coating material that did not interfere with the fingerprint sensor,” adding this may be causing a delay.
If used in conjunction with NFC – and tapping the nearly half a billion iTunes accounts with credit cards enabled for one-click purchasing – the next iPhone wouldn’t just replace password-based authentication with your fingerprint ID, it could act as a digital wallet, too – provided Apple cuts deals with banks, credit card companies and merchants, of course.
If all this sounds too futuristic, remember that Apple shelled out $356 million to buy AuthenTec. That company is the leader in NFC technology and so-called smart sensors and Apple notably unloaded its other business units, leaving only sensors.
Moreover, Apple’s been on something of a hiring spree, looking for software engineers to join its existing AuthenTec fingerprint sensor team.
So, instead of typing in passwords into apps and web sites, the next iPhone could authenticate you just by scanning your thumb resting on the Home button.
How disruptive would that be?
You connect the dots.