Thursday, December 22, 2011

IBM 5 in 5 Predicts the Demise of Passwords

Every year IBM releases IBM 5 in 5 which is a forecast of the five Innovations that will change the Tech Landscape in the next five years. The successes of IBM’s predictions seem to have mixed but beside PR, IBM derives value by forcing the entire company to think along these predictions.
One of 2012 predictions is on the future of passwords.
The name "multifactor biometrics" sounds as intriguing as the thrillers that use it as a plot device. In real life, the use of your retinal scan or your voice as a passport to verification will replace multiple passwords for access to information and secret hideouts, should you decide to accept the option. Your unique biological identity becomes your only password as multifactor biometrics aggregate these characteristics in real time to prevent identity theft.
There seems to be a fair possibility of this prediction coming true in the 3-5 years timeframe. Building biometrics into smartphones and tablets may spur adoption. I believe companies and government may be early adopters. Biometric’s as a substitute to passwords still have a few challenges to overcome such a cost, reliability and unknown unknowns that may result in biometric compromise in the future.
The full value of biometrics will however be derived if normal Internet users can use them for commerce transactions on the Internet, which I believe will be largely driven my marketplace economics. Adoptions by large credit card firms such as VISA and Mastercard may tilt the balance.
So in a nutshell, its wait and watch! No relief in sight just yet.
My expectations are that in the short term the number of passwords will reduce via
  1. Cloud based Identity Brokers who will help individuals authenticate to a single source and then authenticate them to Internet Sites
  2. Use of Open ID by major social networking sites
  3. Enhanced strength of passwords through a second factor authentication means using a photo or a code
  4. Increased use of virtual keyboards to key in passwords to defeat key loggers


  1. Biometrics is a bad idea for remote authentication because of possibility of replay attacks. Additionally biomterics cannot be revoked. If somebody has your biometric, then the person can use the same and you cannot change it. As a result, biometric is best for identification of a user rather than authentication.

  2. The biggest hurdle that has to be addressed before biometrics can replace passwords is the reject rate. This is one of the main reasons we did not go down this route when I was at Visa. Its okay for passports as you can have other checks if required, not so great if you reject your customer at the till of their local supermarket on Christmas Eve. Cost is another factor, you need to get the merchants to invest in the infrastructure or make changes to their systems and that is not easy if the business case is not in their favor. I agree passwords are a very weak authenticator, the issue is there is currently not really a cost effective or customer friendly solution to replace them right now.