As noted in a recent article in the Wall Street Journal, although his impact on our daily lives arguably rivals that of Bill Gates, Mark Zuckerberg, and other giants in the computer industry, the name Fernando Corbató remains obscure. He is, however, the father of the modern computer password. While toiling away at the Massachusetts Institute of Technology in the early 1960s, Mr. Corbató and his colleagues developed the password in order to control access to files on a large, shared computer. Little did they know that over 50 years later, billions of people across the globe would be forced to remember countless passwords and type them into devices ranging from their personal computers to ATMs, smartphones, tablets, and even home appliances. One cannot “Like a friend” on Facebook, check a bank balance, review a child’s school grades, or bid in an online auction for that completely unnecessary item that is destined to sit in the back of a closet, without first entering at least one password.
While designed to help manage and secure files, the ubiquitous nature of the password has rendered it the most significant security risk to computers. In the wake of Heartbleed, and recent attacks on eBay, Yahoo, and Target, it is not surprising that the voices calling for the death of the password are growing louder. Just listen to John Proctor, Microsoft’s Vice President of Global Cybersecurity, who wrote a blog post on this subject last week, stating, “Allowing users to log in simply with a username and password is a grave error… Frankly, the password is dead.” Using equally blunt terms, Jeremy Grant, the head of the National Strategy for Trusted Identities in Cyberspace, stated, “Passwords are awful and need to be shot.” How did Mr. Corbató respond to these attacks on his invention? The 87-year-old retired researcher expressed the view shared by many—“It’s become a kind of a nightmare.”
Despite the nearly universal distain for the password, finding a replacement that would be accepted by the computer industry is not easy because the password is cheap to use and is a fundamental aspect of the architecture of most websites. Making things even more difficult are inertia and human behavior. Using a password has become a daily, routine part of human behavior, to the point where entering a personal identification number (“PIN”) has become second nature. And even in the face of a known breach such as Heartbleed, people refuse to change their passwords because they are typically easy to remember and used across many accounts.
The dissatisfaction with the password begs the question: What will the replacement look like? There are currently many contenders waiting to supplant the password. These include hardware options such as fingerprint readers (i.e., Apple iPhone 5), iris scanners, and USB keys. There are also software options by companies such as BioCatch Inc., which is located in Boston, that verify a person’s identity by measuring how they hold a smartphone or drag a mouse across a screen. Recently, U.S. Bank announced it was joining other large financial institutions in testing voice biometrics as a potential replacement for the traditional password. This group, which includes Wells Fargo & Co. and Barclays Plc., are adopting voice biometrics software that requires users to login to an application or website by speaking a word or phrase. The word or phrase is compared to a previous recording the customer has made to verify it’s the same user.
One option that is gaining traction for its combination of security and simplicity is multifactor authentication (“MFA”). The goal of MFA is to create a layered defense and make it more difficult for an unauthorized person to access a computer system or network. This is achieved by combining two or three independent credentials: what the user knows (knowledge-based authentication), what the user has (security token or smart card), and what the user is (biometric verification). Single-factor authentication, in contrast, only requires knowledge that the user possesses (e.g., a PIN, phone number, Social Security number, etc.). For instance, some Google accounts use two-factor authentication that require smartphones to run an app that randomly generates a number that resets every 30 seconds. This number is required to login to your account.
Whatever security feature may lie ahead, it is safe to suggest that it will not be the much maligned password. While Mr. Corbató’s invention has served us well for the past fifty years, the frequency of major hacks and sophistication of cyber criminals have overwhelmed the password’s ability to serve as an effective gatekeeper to our data. When the inventor, users, and companies maintaining sensitive data all agree that change is needed, it is only a matter of time before the password is able to R.I.P.