Moving Past The Password, But At What Cost?

October 30, 2014

Everyone hates passwords almost as much as they hate being hacked. The problem the traditional password is twofold. In order to be useful, they have to be complex and difficult to guess. Also, passwords become less secure the more often you use them.

Services like LastPass and 1Password will remember your passwords or generate long lines of alphanumeric nonsense you can use to authenticate yourself online. But some users may not feel safe entrusting their passwords to a single third party. Instead, most people stick to what they know and keep their passwords ridiculously simple.

Last week in San Francisco, during Twitter’s first developer conference in over four years, Twitter vice president of product for revenue Kevin Weil took to the stage to introduce Fabric, a new suite of developer tools. Digits, a part of Fabric, is the new tool that Twitter wants to use to bring an end to online password logins.

The concept is simple: Rather than having a unique username and password combination, any application working with Digits would simply ask for your phone number. Plug in your number, wait for a text message with a confirmation code, enter the code, and voila — instant login. Confirmation codes expire and can only be used once, making repeated access to your phone necessary for multiple logins.

Using your phone number to identify yourself online might seem like a step backwards, but in a lot of ways it offers a level of security that e-mail-linked accounts don’t. Whenever the next seemingly inevitable corporate data breach happens, tech blogs will bemoan the situation, and rush to encourage consumers to use stronger passwords. It’s a cycle that keeps repeating itself because security flaws are a fact of digital life and multi-factor authentication isn’t ubiquitous yet. With Digits, Twitter, like Google and Apple before it, is trying to change that.

Authentication factors are specific pieces of information that can grant a person access to protected data. These factors fall into one of three categories: factors you know (passwords), factors you have (cell phones), or factors you are (biometrics.) In the past, Google’s security solutions have relied on a mix of cell phone access and ephemeral passwords to ensure that you are who you say you are. More often than not, however, most users opt for the same kind of single-factor authentication that led to Mat Honan’s infamous digital destruction.

Last week Google announced its plans to release Security Key, a physical key that can be used to log into your Google account. Unlike email, Digits, or other SMS-based authentication methods Google’s key isn’t dependent on a cellular data connection.

By plugging the key into a standard USB port and entering a password, users can protect themselves from Web-based man-in-the-middle, keylogging and phishing attacks by forcing websites to authenticate their identities. The Security Key isn’t without its drawbacks, though. It can’t encrypt your data, or prevent data leaks. It also requires that you use Google’s Chrome browser, and given that it’s an actual key, it’d be possible to simply lose it.

Apple’s most recent crop of iPhones and its new smartwatch take things a step further and ask you to use your body to prove your identity. After entering in a numeric pin once while wearing it, the Apple Watch uses skin-to-skin contact to remember who you are. Apple announced that you’ll be able to unlock hotel doors and pay for pay for things using the watch, and it stands to reason that the watch could someday be used to unlock iPhones or MacBooks.

Apple has designed its new payment system, Apple Pay, and its Touch ID sensor to keep the bulk of your personal information encrypted and stored within your phone. That’s one of the reasons that many retailers are shunning Apple Pay — there’s little incentive for them to use it because there’s precious little data to glean from your transaction. Apple’s mobile devices are expensive, but in exchange for that premium, users gain a certain degree of privacy.

Twitter is giving Digits and the rest of Fabric away to developers for “free,” and users won’t have to pay hefty SMS charges to use its features. That isn’t to say, however, that these steps towards a password-free Internet won’t come at a cost.

Digits potentially gives Twitter a direct line — literally — to some of the most valuable information about you: The company can determine who you are, where you are, and what apps you’re logging into. Though Twitter isn’t saying how it will use that information, it is invaluable for the kind of hyper-targeted advertising that Twitter’s business model is built upon.

With Digits it’s offering the public a chance do away with passwords one app at a time, but it’s also asking us to make a choice. What’s more valuable? A simpler, more secure mobile Web, or privacy from laser-focused advertisers?

Charles Pulliam-Moore is an intern at NPR’s Code Switch who has a not-so-secret passion for mobile gadgetry. He tweets about tech, culture and the occasional pocket monster @CharlesPulliam.

Copyright 2014 NPR. To see more, visit http://www.npr.org/.