If not passwords, then what?

Interesting read over at

While all the hacks described therein are quite legitimate, and some amusing (e.g., hacking Nuance voice verification by recording someone speaking each digit and replaying on demand), this does raise the question: if not passwords (and two-factor, and voice bio, and SMS/PIN and …) – then what?

That’s the million dollar question – the password-centric ecosystem, along with security questions and password reset mechanisms – is quite fragile, but it’s inexpensive to deploy and operate, accessible from any device and any location and well understood. Alternatives require changes to user behaviour, expensive infrastructure and often just create new weaknesses.

It’s easy to say “move on – passwords are not secure enough” but it’s hard to offer a convincing argument for any particular alternative.

Comments are closed.