Boston University

11/19/2024 | News release | Distributed by Public on 11/20/2024 01:36

Tired of Remembering All Those Passwords? Help May Be in Sight

Tired of Remembering All Those Passwords? Help May Be in Sight

We may be able to do away with most passwords for online sites, thanks to "passkeys" used by many major companies. Photo via iStock/Urupong

Science & Technology

Tired of Remembering All Those Passwords? Help May Be in Sight

Passkeys enable us to live with far fewer, BU cryptography expert says

November 19, 2024
0
Twitter Facebook

Passwords have protected-and perplexed-people since they were invented during the Kennedy administration for a multiuser computer at MIT. The leader of that long-ago project more recently called passwords "kind of a nightmare."

It doesn't take a PhD in computer science to know why. Hackers can heist passwords, compromising your accounts, or in some cases, those of millions of people. We're told to create many different passwords to limit that threat, but remembering them all is daunting. That's why the world's most common password (easy to remember-and to hack) is "123456."

Mayank Varia. Photo by Jackie Ricciardi

A story recently published in Vox asserts that "a world without passwords is in sight" thanks to passkeys: encrypted codes, stored on a device or password manager, that allow a user to log into websites and apps by using their fingerprint, a PIN, or facial recognition. They are impervious, passkey developers say, to phishers and cannot be stolen.

The list of major websites that support passkeys ranges from Amazon to Best Buy to Google to Walmart, though many keep a password as a backup if users lose track of their passkey.

BU Today asked Mayank Varia, an associate professor in BU's Faculty of Computing & Data Sciences, whether passwords are bound for the way of the brontosaurus. "Security, just like life, is all about trade-offs," he says. "The question is, what is the convenience-versus-security trade-off? And there's a whole spectrum of options there, and I think [a passkey] is a reasonable choice within those options."

Varia researches cryptography and serves on the United Nations Privacy-Preserving Techniques Task Team, which promotes laws and policies regarding cryptography and protected data analysis.

This interview has been edited for brevity and clarity.

Q&A

With Mayank Varia

BU Today: Do you think passwords will become obsolete in our lifetime?

Varia: I suppose it's possible, but I'll note the goal of passkeys, like the goal of many innovations [for] authenticating yourself: they don't necessarily get rid of passwords. They try to lower the number of passwords that you have to remember, because humans have limited capacity to remember strange, alphanumeric strings.

For example, common instantiation of passkeys is on your phone. That phone might still itself have a password to log into it. That's one password, as opposed to 250 different websites that you visit [requiring] a different password. So I wouldn't call it eliminating passwords, but concentrating more on the things that you use most frequently.

A lot of websites are thinking through the many ways to allow you access. Many, especially shopping websites, will offer a choice: you can either type in your username and password, or they'll send a link to your email account, and if you click on this link, it'll auto-log you in. Either you have to remember the website to [their] company, or you have to remember your password to your own email account.

BU Today: Do you expect passkeys to become the dominant alternative?

Varia: It's hard to project. But they do seem to be a particularly convenient approach, and they have a lot of backers, like a [tech] industry coalition group, the FIDO [Fast IDentity Online] Alliance. Maybe [they're on the way to] becoming a widespread thing that's used in addition to [passwords].

[Some people] have been using password managers: you install a piece of software on your computer and then you have to remember one strong password, the one to log in to the password manager. Then, it will generate strong passwords for you and auto-populate them, perhaps, into the websites you visit.

BU Today: Apparently that's not convenient enough, since we're having this conversation about passkeys.

Varia: That's right. It's a well-designed solution, but it introduces friction-you have to install this stuff. And an almost universal truth in computer security is, any friction takes your adoption rate from 80, 90 percent to 5, 10 percent.

BU Today: Are there any downsides to passkeys?

Varia: The main downsides are twofold, and they're both pretty minor. I might have some reason that I temporarily give you access to my phone. Maybe people give access to other members of their family. Now they can log in to websites as you, which was not a part of sharing your phone that you were thinking about.

The second issue is, a world where there are no passwords can potentially increase the risk of being compelled to do things against your will. One thing-and this is a niche concern, but it's one that I've written about-is questions involving law enforcement and whether they can compel you to put your thumb on the phone and unlock it for them. In many jurisdictions, the answer is yes. Things that are in your mind are typically the things we assign the highest protections. If someone [asks], Did you commit the crime, you can't be compelled to [answer]. Putting your thumb on a device has a much lower barrier legally. Theoretically, if you have a passkey, it's easier for law enforcement to get at your information.

In Massachusetts, our Supreme Judicial Court has ruled that the police can even compel you to type in the password to devices. But that's not true nationwide, and nationwide, it's a giant question mark still to be determined.

Explore Related Topics:

  • Share this story
  • 0 Comments Add

Share

Tired of Remembering All Those Passwords? Help May Be in Sight

Copy URL: Copy

  • Rich Barlow

    Senior Writer

    Rich Barlow is a senior writer at BU Today and Bostonia magazine. Perhaps the only native of Trenton, N.J., who will volunteer his birthplace without police interrogation, he graduated from Dartmouth College, spent 20 years as a small-town newspaper reporter, and is a former Boston Globe religion columnist, book reviewer, and occasional op-ed contributor. Profile

Comments & Discussion

Boston University moderates comments to facilitate an informed, substantive, civil conversation. Abusive, profane, self-promotional, misleading, incoherent or off-topic comments will be rejected. Moderators are staffed during regular business hours (EST) and can only accept comments written in English. Statistics or facts must include a citation or a link to the citation.

Post a comment. Cancel reply

Your email address will not be published.Required fields are marked *

Comment* view guidelines
Name *
Email *
Submit Comment

Latest from BU Today