Why We Might Be Stuck With Passwords for a While

4 minute read

Why do we still have passwords? Everyone hates them. They’re hard to keep track of and hard to type in, especially on your mobile device. And they just don’t work, judging by the all-too-frequent news of bad guys busting into this site or that app.

Two reasons they haven’t gone away: First, it’s easy for programmers to deploy a standard username/password setup. They more or less just push a button in their app-building toolkit. Second, the alternatives…well, they’re not quite ready for prime time. Let’s look at a few.

Biometric sign-in This is the term for signing in with your fingerprints or iris scan or another piece of yourself. For example, the iPhone 5s puts it to good use with a fingerprint reader. But there’s a big problem: If your password or your credit card is compromised by the bad guys, you can revoke it and get a new one. Your fingerprint? Not so much.

Federated sign-in These are those “Sign in with Facebook” (or with Google or Twitter) buttons we’re starting to see all over the place. This is actually a pretty good idea; big Internet operators are very good at security stuff, and every app that does it is one less password to remember.

On the other hand, Facebook and Google are already very powerful, and you have to be a little nervous about putting still more of the ‘net in their hands. Work is under way on the problem: Other companies like Amazon and Paypal want a piece of the action, and maybe your alma mater or bank or the AARP could be your “identity provider,” reducing the Google/Facebook over-centralization worries. There’s real promise in Federation.

Two-factor sign-in A 4-digit PIN and a piece of plastic are enough to get you cash from almost any bank in the world. Security experts call this “Something you know and something you have” and they like it a lot.

Similarly, most people who work for big companies carry around a physical doohickey that they have to use along with a password or PIN to access their corporate mail. Some of these display a number that you type in, others come as a USB, and so on. Another two-factor variation is sites that, when you log in, SMS you a numeric verification code.

The problem, and it’s a big one, is that you can’t really carry a different doohickey around for each of your passwords. The solution to that is obvious: just have one that works for lots of different apps. That will require some cooperation and infrastructure. There are smart people working on this idea, but we’re not there yet.

The whole notion of hardware assist is interesting. In Kenya, you can buy a lot of things with your mobile without being “online.” And in Japan, people use their phones to pay for small-ticket items like subway fares and items at vending machines. Why shouldn’t you be able to use your phone to prove who you are?

Email sign-in Since you give most apps your address anyhow, why not just give up passwords and have the app email you a sign-in URL or magic code when you need to prove who you are? This can work pretty well, but then there’s the fact that not all email addresses are created equal. An app might be happy to rely on a Gmail address, but not one from your high school.

This whole do-away-with-passwords thing is a gold rush and there are a bunch of startups working away at it. A few of them out there are claiming to have simple solutions you can start using today and kiss passwords goodbye forever. Well, maybe. But I still sure see a lot of passwords.

If we can’t do away with passwords, at least we can make them less painful. Password managers like 1Password or KeePass or LastPass are gaining popularity (I recommend them), but mostly among engineers and other geeks.

Another good practice is just to ask for passwords less often. If you’re signing in every day from the same computer in your basement, you’ll notice that Google hardly ever asks you to prove who you are.

Yes, passwords are awful and don’t work. Yes, the experts know this. Yes, we’re working on the problem and making progress. No, we’re not there yet. Stay tuned.

Tim Bray has founded two software companies, helped write Internet standards, worked for big operators, including most recently Google, and written over a million words on his blog.

More Must-Reads From TIME

Contact us at letters@time.com