Are Computer Users Ready to Part With Passwords?
Replacing logins with phones is smart cybersecurity â€“ but are users ready to abandon passwords?
Passwords used to be simple. Frequently personal, they were often revealing and sometimes embarrassing â€“ the name of a cat, the month of an anniversary or a reminder of an inside joke.
Then things got complicated.Â A rise in online thefts spurred companies to require that passwords arbitrarily include numbers, capital letters or punctuation marks.Â Soon, they would have to be changed every few weeks orÂ months with increasingly more complicated sequences, making necessary multiple passwords for computers and websites and email accounts.
But that may all be about to end.
Yahoo announced this week that it plans to abandon the password entirely,Â letting people accessÂ their mail with a mobile app that cybersecurity experts agree is more secure than memorizing custom logins.
The new Account Key option allows people to accessÂ Yahoo Mail by tapping a notification sent to their phones when they want to log in â€“ and prevents hackers from accessing it illegally without such messages. This option â€œwill be rolling out to other Yahoo apps this yearâ€ as part of the companyâ€™s plan for a â€œpassword-free future,â€ said a blog post by Dylan Casey, Yahooâ€™s senior vice president of product management.
Jonathan Klein, president of mobile software company MicroStrategy, says it’s a good idea and that the general public is coming around to the notionÂ that â€œpasswords are out of date.”
â€œAbout 99 percent of passwords that are used are common passwords, like a kidâ€™s name or school or sports team,â€ he says. â€œThese are some of the only things saving us from people draining our bank accounts. How long do you think it would take me to find out where you went to school or what your motherâ€™s maiden name is?â€
It probably works like that more often in HollywoodÂ â€“ like that episode ofÂ “Seinfeld” in which George Costanza reluctantly revealed his password was “Bosco” or in the 1980s film “War Games,” when two teenagers hacked the Pentagon’s nuclear missile launch system by correctly guessing that its designer had picked as its password the name of his dead son,Â Joshua.
But in reality,Â approximately 95 percent of Web app attacks last yearÂ were related toÂ stealing credentialsÂ from users, according to a recent report on data breaches by Verizon.Â So shoring up the old system of passwords could be in everyone’s interest.
Facebook and Google are encouraging users to share their mobile phone numbers as a so-called â€œtwo-factor authenticationâ€ to ensure hackers cannot access an account illegally without passwords and numbers.
But whileÂ the notion of passwords is â€œvery datedâ€ because of the security risks and complicated process of remembering the logins, companies may have trouble getting people to trust them with their phone numbers, says Julie Ask, a principal analyst at ForresterÂ Research. Indeed, Facebook users criticized the social network last year when the company made its mobile application a requirement for people who wanted to use the site through their phones out of concern that it gave the company too much access to info stored on their devices.
â€œEvery time you ask consumers for more information some folks are going to drop out of the process,â€ Ask says. â€œYou have to imagine that in Yahooâ€™s mind this is about selling more advertising, Companies want more ways to stay connected with your digital activity.â€
Compared with some other telecoms and Internet companies, however, Yahoo has built a solid reputation for privacy, gaining them a perfect score for digital rights in a recent study conducted by the Electronic Frontier Foundation.
â€œWe’re committed to protecting our users’ privacy and security, and outline clearly in our terms of service that we will not sell or share a user’s personal information, including their phone number, with anyone else, including for advertising purposes,â€ Fred Han, a spokesman for Yahoo tells U.S. News.
Yahooâ€™s new Account Key mirrors other efforts to replace passwords with phone authentication and seems like “a fine idea,â€ says Bruce Schneier, a fellow at Harvard Universityâ€™s Berkman Center for Internet and Society who is both an expert on cybersecurity but also a fierce advocate for privacy rights. He is uncertain whether killing the password will become a trend, however, adding â€œthe question is always user acceptance.â€