Is it time for big companies – at the very least – to abandon weak password security? If so, what password alternatives are there?
Worrying news for IT professionals – not to mention anyone who trusts a big company with their data – as a survey found that one in seven employees would be prepared to sell their company password.
Many were prepared to sell their password for as little as $150, and the survey went on to note that more than 20% of employees routinely share passwords with each other. 56% also re-use their passwords across personal and corporate accounts. Such practices on the part of employees could play a significant role in data breaches and hacks – like Sony Pictures’ attack in 2014.
So, is it time for big companies – at the very least – to abandon weak password security? If so, what password alternatives are out there?
Two Factor Authentication
Not an alternative to passwords, so much as an advancement, Two Factor Authentication – or 2FA – requires users to enter a unique code sent to a second email address of mobile number in order to log in alongside the password. Many high profile sites offer 2FA including Gmail, Twitter, Dropbox and the Steam gaming platform. You can read more about 2FA here, or watch the short video below which explains how Twitter integrated it into their site.
A personal USB key
Google – which has already been a leading voice in establishing two-factor identification – has been working on personalized USB keys as a password alternative. Simply plug your key into the PC you need to use, and it loads your profile. According to Google, a Chrome extension is already primed to work with such keys, meaning all your online logins could be stored within the master key – no more typing in passwords on any website, in theory. Communication between the browser and the key is said to generate no information that could be used to impersonate the user if intercepted.
Your heart on your wrist
The Nymi wristband looks like a lot of other wearable tech – but instead of counting your steps, it’s measuring your pulse. The precise, unique rhythm of your heart can be used as an alternative to a password, identifying you wirelessly not just to your computer, but potentially to your car, your house, and in stores for making payments. It might sound far-fetched but it’s not such a jump to combine a heart-rate monitor with NFC communication.
Forget iris or fingerprint ID as password alternatives – the latest thinking in biometric identification covers a fantastic range of possibilities. Descartes Biometrics makes an app called Ergo, for Android, which it claims can use the shape of your ear to identify you – simply by pressing it against the screen as you might during a phone call.
Other concepts in biometrics include measuring your gait – perhaps not as practical for those who just need to log into their workstation, but again, a wearable bracelet equipped with accelerometers and gyroscopes could be used to monitor your gait (its speed, balance, weight) and login to your computer by matching the data against a pre-recorded sample.
Still other biometric ideas include full facial recognition – which Facebook claims to have perfected to a near-human level of accuracy – and recognizing your typing speed. It could one day be not what your password is, but simply how you type it.
Use a virtual ‘token’
In similar vein to Google’s USB concept, this password alternative employees to carry a piece of pre-recorded information with them. These, however, can be incorporated into your smartphone. Clef, a new app already used by tens of thousands of sites, logs users in by displaying a temporarily-generated, unique image on the phone screen. Simply hold the image up to your webcam to authenticate it. The image can’t be stolen, as each one is randomly generated and lasts for less than thirty seconds.