Death to the sticky note

The first rule of password security is “don't write it down”. Yet, we all do it. We record them on sticky notes and attached them to our monitors, write them down in a notebook, or record them in a spreadsheet. The number and complexity of password requirements makes it difficult to operate otherwise.

Recent guidance from NIST suggests the complexity of these requirements are not making passwords harder to break. Instead, it suggests we create passwords that are longer, less cryptic, and more memorable.

You'd think that was good news until you consider that best-practice encourages us to create unique passwords for each of the two dozen or so sites you log into. Bottom line, we fall back to the sticky note solution -- or perhaps the real solution is to do away with the need for a password at all.

Imagine a world in which we no longer need to maintain a user name and password, but skip that step to access a website or an application. Today, you may do this by using a fingerprint to access your smart phone or log into your banking app. Besides fingerprints, the latest smart phones use other types of physical biometrics such as facial recognition and iris scanning. By just looking at the phone screen, the phone can unlock or you can access a protected application.

To introduce another mechanism for security, think about how behavioral biometrics can also be used to uniquely identify you. The way you act provides data points collected by the systems you interact with to verify your identity. Examples may be the angle at which you swipe your smart phone screen, the rhythm or force of strokes you make on the keyboard, or your gait. If you’ve called into your bank and asked if you wanted to use your voice to verify yourself, that is another example of behavior biometrics.

With the help of machine learning, all these factors can be plugged into an algorithm that is constantly changing and getting to know you better. As a result, we have more effective means of constantly monitoring your activity and more reliably identifying you as an “approved” user versus a “bad actor”.

Now, do you still think passwords are important to ensure a secure online experience? The reality is that there are more effective approaches that will both enable greater security and provide the user a more seamless experience. If Amazon is ending the check-out process at the grocery store, then systems can do the same with passwords to access their services.

Passwords will soon be a thing of the past. Just as we do with answering machines today, references to passwords will be something we’ll need to explain to the next generation. So, feel free to repurpose your sticky notes for their intended use - a reminder to make a call or pick up milk at the store.

Quick References

OMB 16-11, Improving Administrative Functions Through Shared Services

Circular No. A-123 Appendix D, Compliance with the Federal Financial Management Improvement Act of l996

OMB M 13-08, Improving Financial Systems Through Shared Services

OMB M 10-26, Immediate Review of Financial Systems IT Projects

Open Gov   My Money.gov   USA.gov
Linked In   Twitter   Facebook   You Tube   RSS Feed