I have been closely following authentication methods over the last 10 years or so and here’s a short list of my thoughts:
- people have been talking about the end of passwords for decades. While they have drawbacks (some are weak, they don’t change for a long time, some people can’t use them - dyslexia) they are the simplest to use, simplest to implement and cross platform authentication mechanism. They will never disappear.
- Your email password has become the single MOST IMPORTANT password you have as almost all other passwords can be reset via email!
- It’s not that difficult to implement server-side password systems to prevent large scale incidents. However, the cost of implementing them properly is still higher than risk X cost of attacks. If someone like Paypal looked at the cost of incidents (unauthorized transfers due to stolen passwords) and compared that with the cost to the business (making authentication harder + cost of development). The result - passwords would be good.
- If password-based attacks become a problem, they are relatively easy to augment with additional restrictions (permanent or temporary).
- For a while there was a really fragmented market of alternatives - visual passwords, join-the-dots, select a set of images, hardware dongles, biometric-based methods and it wasn’t clear who will be the winner. I think this stage is over and the winner is an approach that uses our personal devices to help us (from laptops to smart phones).
- Passwords are disappearing in a sense that you may not see them that much - Windows, OSX, browsers, smartphones automatically log you in, iOS now offers auto-fill when it sees a password box and you just need to press your thumb on the start button. The user-side password handling is now implemented in platforms and custom applications (e.g., 1password) become unnecessary.
- Big companies are not that much interested in attacks on particular users. Their concern are easy-to-scale attacks that could hit millions of users in a short time. Linking you “person” to your device that can provide strong authentication fits this bill.
- The approach that replaces authentication of yourself with authentication of your personal device prevents scalable attacks. However if someone steals your smartphone, you’re doomed.
- If you want to protect yourself, you need to do something for it. Think about what you can lose, how easy would it be for someone to steal / infect / take-over your smartphone / laptop and use it to access your data and access privileges.