Feature - Allow User Authentication without Passwords

As "reset password" requests eat up IT service desk dollars, and most passwords remain insecure, it is time for authentication protocols that do not depend on passwords for user login.
Many such methods are available today, these include Apple Touch ID, Multi-factor authentication and authentication using TOTP.

Microsoft security blog  has a post describing their goals and different techniques to ensure users are able to use devices and software without worrying about passwords. However, all these techniques have two things in common:
  1. They either need your biometrics (fingerprint, face, eye etc.) or 
  2. They validate the token or security key generated by an app on a mobile device

Imagine a typical use case

A user likes to browse the web, and shop at different e-commerce sites, check his account balance, join forums and personalize his browsing experience.
For her, the vast majority of login screens will still ask for a password. 

There are some secure websites that send a TOTP (time based one time password) instead of asking you to enter a password, however they are not widely adopted.
Social login (e.g. login using Facebook) has major privacy issues, so that is a solution with limited use.
And if you use a solution like LastPass, then all you are doing is moving your passwords from your mind, to another app on your mobile.

The only solution appears to be with the website owner, or the enterprise providing the service. If they start offering secure authentication without passwords, and allow other secure websites to confirm the user identity, then the process of login will become easier and more secure.

For this, a key factor is to eliminate passwords from registration forms. With this approach, and using techniques such as adaptive risk based authentication, the user experience at registration and login can be vastly improved, without compromising on security.

No comments:

Post a Comment