The End of Passwords

A Google announcement means we will all soon employ "passkeys" instead of passwords, greatly increasing security -- and ease of use.

Image
Typing on laptop

When brilliant young physicist Richard Feynman ran a group of scientists at the Los Alamos Laboratory that developed the atomic bomb during World War II, he embarrassed security personnel by using a screwdriver to routinely pick the locks on the filing cabinets that contained the facility's most sensitive secrets. He might taunt security by leaving the filing cabinet open or might close the cabinet and just leave a note inside for his colleague saying something like, "Thanks for letting me borrow XYZ document." Security finally got the message and installed locks that each had a million combinations -- and Feynman picked those, too.

For years now, hackers have likewise been exposing the vulnerabilities in the world's attempts at cybersecurity. But an announcement by Google last week means that we are headed toward closing one of the biggest security gaps that hackers exploit: passwords. 

The change won't happen overnight, but it will happen -- accelerated by Google's move into what are called passkeys. The technology requires that we merely have physical possession of our phone or computer and can authenticate ourselves to it through face recognition or other biometric measure. The passkey then handles all sign-ins to our apps and websites, using heavy-duty encryption. 

We users will no longer be required to remember all the different passwords that we're pinged to recreate every six weeks or so, based on the host of different standards that different apps and websites require -- which, in practice, of course means that we're constantly resetting passwords.

Companies will see security increase greatly because employees will no longer use passwords that are trivial for hackers to guess -- the four most common passwords currently are 123456, 123456789, qwerty and password -- and will no longer be vulnerable to phishing attacks that trick them into giving up their passwords.

Insurers will likewise be able to breathe a bit easier -- and adjust premiums accordingly -- as the threat via password theft diminishes. And the industry as a whole will do a better job of protecting all the sensitive information it has about customers, information that hackers try so hard to collect. 

The FIDO Alliance has been rolling out passkeys for a year, and an article in Wired says many companies, including PayPal, Shopify, CVS Health, Kayak and Hyatt, already offer customers the ability to access their accounts via passkeys.

But the article quotes Andrew Shikiar, executive director of the FIDO Alliance, as saying the Google move to passkeys is an inflection point. "A company like Google," he says, "enabling this with so many people actually seeing passkey sign-ins, they’ll be more likely to use them elsewhere. And it will also accelerate other companies’ deployment plans and help them deploy better, because we will learn from this as a body."

The transition from passwords to passkeys will now surely enter the chicken-and-egg phase that just about every new technology faces. Even though the benefits of passkeys are so clear, not a lot of companies will feel the need to offer the option soon, because customers aren't demanding that they do so, and customers won't lean into passkeys right away because not enough companies are offering the option.

Glitches will also slow adoption. For instance, when I try to sign up for a passkey via Google, it prompts me to sign into my gmail account, but I don't use my gmail account. I'm not going to start using gmail as my default just to get access to a passkey, so I'll sit this one out for now.

Once the transition to passkeys builds, insurers will -- or at least should -- encourage it by offering discounts to companies that improve their security by mandating a switch. And when we hit the tipping point in perhaps a couple of years, the transition to passkeys should be so rapid that, as FIDO's Shikiar put it, the World Password Day that was celebrated last week is "going to be like World Horse and Buggy Day."

Cheers,

Paul

P.S. Much of Feynman's picking of the supposedly hyper-secure locks just took advantage of combinations that were the equivalent of a password like 123456. Even at what was supposed to be the world's most secure facility, among some of the world's smartest scientists, one in five never changed the simple, default combination that the factory set and that Feynman knew.

As for the rest of the safes, he found that he only needed to be within two of the correct number in a combination for it to work, so the 100 digits on the dial really only meant he had to try 20 possibilities. With a three-number combination, that still meant trying 8,000 combinations on each safe -- except that he learned that he could see the final two numbers in a combination if he could fiddle with the lock while the cabinet was open. And he was eccentric enough that nobody paid much attention as he played with their lock while in conversation. He'd write down the final two numbers for each safe, then just have to try 20 combinations to open it. 

As much as he frustrated security, he came in handy when a document was needed from a filing cabinet whose owner was off the premises. Whoever needed it would just ask Feynman to pick the lock. Feynman would promise to do so, but only if no one watched. He'd pick the lock within a minute, take out a book and read it for half an hour or so, then open the office door and accept thanks for how hard he'd worked to pick the lock and retrieve the document.