What will the password of the future look like? Smartphones will become your only key

August 11, 2013 Nowadays, smartphones have become very popular and many people use them in work and life. As such, they are likely to replace passwords used in identity authentication on various platforms.

Most experts agree that we need a more secure method than passwords to protect website security. People always like to use passwords that are easy to guess, which greatly reduces the effectiveness of passwords. In addition, advanced decryption technology can even make encrypted passwords easily cracked by hackers.

Since almost everyone has a smartphone, it is seen as an ideal place to store credentials. If a few sensors are added to the smartphone to identify the user, it would be much safer to use the device for security authentication.

"I think it's a great idea," said Trent Henry, an analyst at Gartner, referring to the smartphone authentication method. "We think it will be the authentication model of the future."

The emergence of alternatives

Many security solution providers who share Henry’s view are working to push the industry in this direction, including Authy, Clef, and Duo Security.

Even big security companies are preparing to enter the market. Last month, RSA, the information security division of EMC, acquired PassBan, a company whose technology allows smartphones to be used for voice and facial recognition in multi-factor authentication schemes.

Today, most security service providers already use mobile phones for two-factor authentication. If a website supports these providers' services, when a user logs into the website, it will send a unique personal identification number (PIN) to the user's mobile phone, and the user will enter the PIN to complete the login process.

Unfortunately, most users are unwilling to take these extra steps, so they are always looking for a more convenient and seamless method.

Authy took a step in that direction last week when it launched an app that connects an iPhone or Android phone to an Apple computer via Bluetooth. From that point on, when users visit Facebook, Dropbox, Google Gmail or other sites that support the app, the credentials stored on their phone can be used to automatically log in to the site.

Daniel Palacio, founder and CEO of Authy, believes the app is just the beginning, and that in due course this authentication method will be used on Google Glass, smart watches or other wearable computers.

The work of Authy and its competitors shows that the industry is seeking a complete solution, which does not yet exist.

Biometrics may be on the rise

"The various security experiments that have emerged in the market show that we have not yet found the ideal solution. We may never find a solution that works for all scenarios," said Eve Maler, an analyst at market research firm Forrester Research. "Until such a solution appears one day, passwords will never be completely replaced."

For a smartphone to replace passwords, it must know for sure that it is the user logging into a website, not a fraudster who found or stole the phone. Biometrics is one possible solution, provided reliable, secure fingerprint scanners, as well as voice and facial recognition technology, are developed.

Another possibility is a phone sensor that can detect how a user walks. This technology, called gait recognition, is currently being researched at Georgia Tech and MIT.

Once biometrics can reliably identify phone users, “we’ll have a very, very secure authentication system that takes a lot of the hassle out of it,” Palacio said. “People will just have to buy it and make it work.”

While such a system may be much more secure than the passwords currently used, it doesn't mean hackers will stop there. "Attackers will target these new technologies, so we have to be very careful about these security systems," Henry said. "In other words, you still need to estimate what kind of attacks will occur."