By Robert McMillan
Rohit Paul has seen the future of digital security, and it is
free of pesky passwords. Recently, he needed to use a laptop to
edit a vacation photo stored in Google Photos. He grabbed his
wife's computer. But the 27-year-old engineer didn't type in Google
credentials. Instead, he tapped a button on the screen of his Nexus
6P smartphone.
"It makes life easier," Mr. Paul said. "No need to worry about
typing a complicated password."
Technologists aiming to strike a balance between security and
ease of use are converging on the smartphone. The latest
developments from Google parent Alphabet Inc. and from Apple Inc.
go beyond using special programs designed to manage all of your
passwords, or entering a code sent via text message. Instead, they
treat a handset as a replacement for passwords and other
identification.
Mr. Paul is part of Alphabet's quiet beta test program for "Sign
in with your phone," Google's latest effort to let Android users
log into its services--on any device--without a password. And in
the future, Google engineers aim to give Android phones the ability
to recognize individual users by analyzing patterns of speech,
typing and other behavior.
Apple, for its part, has outfitted its latest iPhones with
special high-security chips that let programmers develop apps to
let users log in by touching their finger to the phone instead of
entering strings of characters. The iPhone's built-in Touch ID
fingerprint reader has become a popular way to unlock the phone,
but app developers are starting to use it with other onboard
security features to eliminate passwords entirely.
Mobile phones also serve as personal identification in
credit-card alternatives such as the Apple Pay and Android Pay
services. And banks are beginning to experiment with using phones
to replace ATM cards. Citigroup Inc. and Wells Fargo & Co. are
experimenting with systems that let people withdraw cash by using a
special code displayed on a phone's screen.
Passwords are a notorious bane of digital life. Users forget
them, make them easy to guess, or rely on the same one to gain
access multiple online services, all of which become vulnerable if
the password is exposed. Network administrators hate them because
they don't keep hackers at bay and resetting them is costly.
Managers hate them because they waste a tremendous amount of time.
The technology research firm Gartner Inc. estimates that password
resets take up between 20% and 30% of all help-desk support calls
in corporations.
Microsoft Corp. researcher Cormac Herley estimated in 2014 that
if the Internet's two billion users spent five seconds a day typing
passwords, the effort would amount to 1,389 man years daily. From
"a cost-benefit standpoint users are rational to reject much
security advice: the burden imposed is simply too great for the
benefit received," he wrote in a research paper. For instance, one
problem is that users are told not to reuse passwords, and to come
up with complex, random sets of characters that are difficult to
memorize.
"We know that the most popular passwords are all pretty much
garbage," said Matthew Green, an assistant professor of computer
science at Johns Hopkins University. "People tend to pick the less
secure passwords in the largest numbers, so passwords are a bad
idea from a security point of view."
However, Mr. Green said he doesn't think that the password will
be completely replaced by mobile-phone gizmos any time soon. "I
think these things are neat ideas, but they're too flaky right now
for us to really rely on them. There are too many false negatives
and false positives [regarding authentication]."
The password has been an endangered species for some time. Most
mobile apps ask for one the first time they run on a new phone and
leave users alone thereafter. But the pain persists. Buy a new
phone or switch computers, and you need to remember
passwords--often a lot of them.
Smartphones make a handy substitute. Like passwords, individual
mobile devices are ubiquitous, unique and intensely personal.
Unlike passwords, they're difficult to duplicate--and hackers can't
sell copies of them to all comers in underground forums.
Google's "sign in with your phone" feature is the latest in a
series of Google experiments to shed passwords. Regina Dugan, chief
of the company's Advanced Technologies and Projects group, in May
demonstrated a system that allowed a phone to know its rightful
user by analyzing data from the phone's sensors.
"This next frontier of authentication moves the burdens of PINs
[Personal Identification Numbers] and passwords from the user to
the device itself," Ms. Dugan said during a speech at Google's
annual software developer conference last May.
Peiter "Mudge" Zatko, a network security expert who contributed
to other Google efforts to supersede the password before leaving
last year to found a security consultancy, believes that Apple, and
not his former employer, is best positioned to pull this off.
Apple's emphasis on hardware design and focus on the high-end
market opened the door to two key pieces of technology that could
help the company liberate users from the password, he said.
The company in 2012 purchased AuthenTec Inc., a maker of
fingerprint readers, for $355 million. That technology forms the
basis of the iPhone's Touch ID technology, which lets users log
into their phones with a fingerprint rather than a password.
One immediate result was greater security. Two years ago, about
50% of iPhone users didn't lock their handsets. Today, 90% of
iPhone users lock their devices with either a passcode or
fingerprint scan. Of the top 2,000 free iPhone apps in the U.S.,
7.5% use Touch ID, according research done for The Wall Street
Journal by SourceDNA, Inc. an app analytics service. They include
apps from Evernote Inc. and the Bank of America Inc.
New York security consultancy Trail of Bits Inc. this week will
unveil a program, Tidas, that allows developers to access the
iPhone in an even more secure fashion. Trail of Bits built its
software after Apple discussed its special security chip, known as
the Secure Enclave, at a June 2015 conference but didn't provide
technical details on how to use it directly.
Trail of Bits CEO Dan Guido believes that the enhanced security
provided by Apple's technology will further endanger the password.
"People will absolutely use fewer passwords if this kind of
technology achieves widespread usage," he said.
Nonetheless, Apple vice president of iPhone and iOS product
marketing Greg Joswiak doesn't think that passwords will ever fully
be eliminated. "I think there is still a purpose to having them,
including using them to encrypt everything on your device," he
said. "What we want to do is create an easy and secure experience
with Touch ID and make the use of passwords as infrequent as
possible."
Mr. Paul, who uses Google for email, search, photo storage, and
driving directions, is still holding on to is password just in
case. "When all else fails, go with the password as a fallback," he
said.
Write to Robert McMillan at Robert.Mcmillan@wsj.com
(END) Dow Jones Newswires
February 08, 2016 19:42 ET (00:42 GMT)
Copyright (c) 2016 Dow Jones & Company, Inc.
Apple (NASDAQ:AAPL)
Historical Stock Chart
From Feb 2024 to Mar 2024
Apple (NASDAQ:AAPL)
Historical Stock Chart
From Mar 2023 to Mar 2024