Moving Past The Password, But At What Cost?
People hate passwords almost as much as they hate being hacked. The problem with the traditional password is twofold: To be useful, they have to be complex and difficult to guess. And passwords become less secure the more often you use them.
Services like LastPass and 1Password will remember your passwords or generate long lines of alphanumeric nonsense you can use to authenticate yourself online. But some users may not feel safe entrusting their passwords to a single third party. Instead, most people stick to what they know and keep their passwords ridiculously simple.
Last week in San Francisco, during Twitter's first developer conference in over four years, Twitter's vice president of product for revenue, Kevin Weil, took to the stage to introduce Fabric, a newsuite of developer tools. Digits, a part of Fabric, is the new tool that Twitter wants to use to bring an end to online password logins.
The concept is simple: Rather than having a unique username and password combination, any application working with Digits would simply ask for your phone number. Plug in your number, wait for a text message with a confirmation code, enter the code, and voila — instant login. Confirmation codes expire and can be used just once, making repeated access to your phone necessary for multiple logins.
Using your phone number to identify yourself online might seem like a step backward, but in a lot of ways it offers a level of security that email-linked accounts don't. Whenever the next seemingly inevitable corporate data breach happens, tech blogs will bemoan the situation and rush to encourage consumers to use stronger passwords. It's a cycle that keeps repeating itself because security flaws are a fact of digital life and multifactor authentication isn't ubiquitous yet. With Digits, Twitter — like Google and Apple before it — is trying to change that.
Authentication factors are specific pieces of information that can grant a person access to protected data. These factors fall into one of three categories: factors you know (passwords), factors you have (cellphones), or factors you are (biometrics). In the past, Google's security solutions have relied on a mix of cellphone access and ephemeral passwords to ensure that you are who you say you are. More often than not, however, most users opt for the same kind of single-factor authentication that led to Mat Honan's infamous digital destruction.
Last week Google announced its plans to release Security Key, a physical key that can be used to log in to your Google account. Unlike email, Digits, or other SMS-based authentication methods, Google's key isn't dependent on a cellular data connection.
By plugging the key into a standard USB port and entering a password, users can protect themselves from Web-based man-in-the-middle, keylogging and phishing attacks by forcing websites to authenticate their identities. The Security Key isn't without its drawbacks, though. It can't encrypt your data, or prevent data leaks. It also requires that you use Google's Chrome browser, and given that it's an actual key, it'd be possible to simply lose it.
Apple's most recent crop of iPhones and its new smart watch take things a step further and ask you to use your body to prove your identity. After you enter a PIN once while wearing it, the Apple Watch uses skin-to-skin contact to remember who you are. Apple announced that you'll be able to unlock hotel doors and pay for pay for things using the watch, and it stands to reason that the watch could someday be used to unlock iPhones or MacBooks.
Apple has designed its new payment system, Apple Pay, and its Touch ID sensor to keep the bulk of your personal information encrypted and stored within your phone. That's one of the reasons that many retailers are shunning Apple Pay — there's little incentive for them to use it because there are precious few data to glean from your transaction. Apple's mobile devices are expensive, but in exchange for that premium, users gain a certain degree of privacy.
Twitter is giving Digits and the rest of Fabric away to developers, free, and users won't have to pay hefty SMS charges to use its features. That isn't to say, however, that these steps toward a password-free Internet won't come at a cost.
Digits potentially gives Twitter a direct line — literally — to some of the most valuable information about you: The company can determine who you are, where you are, and what apps you're logging in to. Though Twitter isn't saying how it will use that information, it is invaluable for the kind of hypertargeted advertising that Twitter's business model is built upon.
With Digits it's offering the public a chance do away with passwords one app at a time, but it's also asking us to make a choice. What's more valuable? A simpler, more secure mobile Web, or privacy from laser-focused advertisers?
Charles Pulliam-Moore is an intern at NPR's Code Switch who has a not-so-secret passion for mobile gadgetry. He tweets about tech, culture and the occasional pocket monster @CharlesPulliam.
Copyright 2021 NPR. To see more, visit https://www.npr.org.