The Slow Death of Passwords

My first online account consisted of nothing more than a username and a password. The username being some strange alias I made up, fearful of using my real name online. The password was just my first name, an all lowercase six letter word.

The pattern of just username & password has quickly been strengthened with additional methods. We are going to take a look at a few of them and examine the strengths and weaknesses of each one.

Knowledge Based Authentication (KBA)

This method is incredibly common in the credit & banking industry. You would be presented with a small multiple choice questionnaire. The questions would be something like, "Select the county you previously lived in". The more questions you add, the arguably more secure it becomes.

  • Pros
    • Additional layer of security
    • Prevents malicious actors from impersonating others
  • Cons
    • Knowledge is not private. It can be found.

All in all, this method relies on the individual history of people remaining secure in the system they live. With more and more services going online and another data breach weekly, this method of authentication will probably cease to exist in a few years.

Security Questions

This method has grown to a variety of industries. It basically works by giving you (the user) a set of questions. You pick one of them and answer it however you wish. During a login session, those selected questions will be presented and must be answered. For example, one of my questions was "What was the name of your childhood friend?". This question sucks though for a variety of reasons. I've had so many childhood friends, I even forgot what I put!

  • Pros
    • Additional layer of security
    • Questions can be answered truthfully or not. It doesn't matter.
  • Cons
    • Truthfully answered questions are just another form of knowledge based authentication.

2 Factor Authentication (2FA)

A common method used on millions of sites these days. Commonly text (SMS) based 2FA has been used, which sends a random code to the phone number registered. This code must be entered within a few moments during the sign in procedure.

2FA additionally has non-phone based methods, software applications can act as time based tokens which refresh every 30 or so seconds.

  • Pros
    • Additional layer of security
    • Can be cloud based
  • Cons
    • Losing non-cloud based 2FA device can be painful
    • SMS can be social engineered
    • Cloud based 2FA could be stolen

Hardware Enigma

Hardware based sign in techniques have existed since I joined the Internet and that was way back in the 1990s. While the hardware of the past was more a time based token with digital display the new generation dabbles in cryptography with a USB connection.

I have two hardware authentication devices, they are sometimes clunky, but the idea is basic. They must be plugged in, otherwise I cannot sign into my account.

  • Pros
    • Not at software level.
    • Easy to use, when it works.
  • Cons
    • Wireless vs Wired acts differently
    • Steal the hardware and done?

Theres just a few of additional authentication measures set out to aid or even replace passwords. There are plenty we didn't even talk about from biometrics, face recognition and simple mobile phone prompts. I wonder what new types of authentication will appear in the next few years.

Featured photo by Matthew Brodeur / Unsplash

Top