Data breaches happen constantly.
It's become one of those things that nobody is surprised about. It's so common that even some of the top password manager apps have built-in functions to notify you about compromised logins.
In a world of encryption, built-in device trust systems, and more ways to authenticate who you are than ever before... why are we still relying on passwords?
To be clear, I don't necessarily support "Login with..." providers, either. Having your account data and ability to access various apps be within the realm of a decision of the likes of Google, Facebook, or even Twitter doesn't sit right with me. However, they're more industry standard now then ever... because nobody wants to remember 500 different passwords.
So let's use the built-in systems that almost every computer, phone, and tablet have now. Let's move the trust of user verification to the device.
Currently, when you're signing into a site, you probably give out your email address and set a password. In the future, to sign in, you'll just provide the email address and password, and you're in. Your "login keys" are known to you, and you're just relying on the obscurity of your details being hard to guess. If we lived in a perfect world where every website is unhackable, then, yeah, this is our solution.
However, we don't. Users have proven that they can't be trusted to remember complicated details. Sites have been shown to not keep details confidential... so let's remove the obligation. Let's remove the obscurity part of the equation.
Your iPhone, laptop, and even PC could be a "security key" for some time now. I'm simplifying, but this works by your device, creating a super long-secret "key" shared with each site you sign up with. Every place you use would get a different key. Only each individual location has the means to verify if it's you. Because of this setup, too, it also means nobody else would be able to impersonate you - even if they have the key.
What would this mean? When you go to sign in to a website, you'd just tap your Touch ID sensor. You'd hit that side button on your smartwatch. You'd type your pin into Windows Hello. The end result is you're in, and you didn't need to remember anything.
The only caveat is "enrolling" new devices. Every device you use to access a site or app would need to be "authorized," but in theory, this could become easier, too. Maybe when you try to sign in from your Mac, your iPhone could "share" the keys with your permission, and then the Mac shares its own to authorize itself for future access.
Cut the vector of stealing someone's info. Cut the hassle of remembering 500 different logins. Stop letting social providers gatekeep the internet. Put some trust in the device you already use to do everything.
Let's get rid of passwords already.
- Devon
It's become one of those things that nobody is surprised about. It's so common that even some of the top password manager apps have built-in functions to notify you about compromised logins.
In a world of encryption, built-in device trust systems, and more ways to authenticate who you are than ever before... why are we still relying on passwords?
To be clear, I don't necessarily support "Login with..." providers, either. Having your account data and ability to access various apps be within the realm of a decision of the likes of Google, Facebook, or even Twitter doesn't sit right with me. However, they're more industry standard now then ever... because nobody wants to remember 500 different passwords.
So let's use the built-in systems that almost every computer, phone, and tablet have now. Let's move the trust of user verification to the device.
Currently, when you're signing into a site, you probably give out your email address and set a password. In the future, to sign in, you'll just provide the email address and password, and you're in. Your "login keys" are known to you, and you're just relying on the obscurity of your details being hard to guess. If we lived in a perfect world where every website is unhackable, then, yeah, this is our solution.
However, we don't. Users have proven that they can't be trusted to remember complicated details. Sites have been shown to not keep details confidential... so let's remove the obligation. Let's remove the obscurity part of the equation.
Your iPhone, laptop, and even PC could be a "security key" for some time now. I'm simplifying, but this works by your device, creating a super long-secret "key" shared with each site you sign up with. Every place you use would get a different key. Only each individual location has the means to verify if it's you. Because of this setup, too, it also means nobody else would be able to impersonate you - even if they have the key.
What would this mean? When you go to sign in to a website, you'd just tap your Touch ID sensor. You'd hit that side button on your smartwatch. You'd type your pin into Windows Hello. The end result is you're in, and you didn't need to remember anything.
The only caveat is "enrolling" new devices. Every device you use to access a site or app would need to be "authorized," but in theory, this could become easier, too. Maybe when you try to sign in from your Mac, your iPhone could "share" the keys with your permission, and then the Mac shares its own to authorize itself for future access.
Cut the vector of stealing someone's info. Cut the hassle of remembering 500 different logins. Stop letting social providers gatekeep the internet. Put some trust in the device you already use to do everything.
Let's get rid of passwords already.
- Devon