High-profile password heists are now depressingly common. And as we continue to entrust more of our personal information to password-protected online services, the payoff from a successful attack is only increasing. Attacks on Adobe, Zappos, and Sony’s PlayStation Network each netted tens of millions of user passwords.
These were not the first attacks to attempt harvesting of users' passwords on a massive scale, and they certainly won't be the last. And though it might seem strange that some nameless attacker would want the credentials to several million PSN gamer accounts, these attacks are actually exceedingly valuable because most of us are lazy.
We share passwords between accounts. We use the same passwords to access our online bank accounts and our online dating accounts. We use the same passwords to log into Amazon and Google, Netflix and Dropbox. As an attacker, once you've got ahold of 150 million Adobe usernames and passwords, you go try them all at Bank of America. And even if only a small fraction work, it's worth it.
Sharing passwords between accounts is understandable since most people rely on their brains to hold their passwords, and the human brain has a limited capacity. Those of us who are concerned about security augment our brain capacity with tools like 1Password and LastPass. But the average user is not terribly concerned with password security and will likely never use such products.
So if password reuse is valuable to attackers, but getting people to stop is difficult and adoption of password tools is slow, perhaps there is an alternative solution staring us straight in the face.
Do away with passwords.
Maybe we don't need them. Instead of letting users choose passwords, we could authenticate users by giving them short-lived one-time-use tokens delivered over a secure channel that they control. No need to salt and hash anything since the tokens would be useless to an attacker. No need for silly password strength requirements which annoy users while not actually making them any safer.
In fact if you think about it most online services have already implemented passwordless authentication. It's called password reset. You forget your password, click a link on a login form which takes you to a page where you enter your email address, and then an obscure link with an embedded token is emailed to you. Clicking that link takes you to a form where you are already authenticated and can choose a new password. Of course this assumes that email is secure, but that's a topic for another post.
So passwordless authentication is actually just a simplification of the standard password reset flow in which you don't choose a password at the end. Denying users the opportunity to choose a bad password is no different from assuming that every user forgets their password every time they try to log in.
The obvious tradeoff is the extra friction on users when leaving the authentication flow to locate the temporary authentication token. But for accounts containing sensitive-enough data, the security benefits are worth it.
Besides the obvious benefit of preventing password reuse, this scheme also makes phishing more difficult. For example, as an attacker attempting to gain access to online bank accounts it is very easy to justify the cost of setting up realistic copies of login pages in an attempt to get users to accidentally send their passwords to you, because the signals of authenticity are relatively easy to fake. Without a password to steal, an attacker would have to convince a victim to find a presumably obscured and lengthy one-time-use token and hand it over before it expired, which is very difficult to pass-off as authentic behavior.
There are of course issues and best-practices to hash out. What qualifies as a secure delivery channel is the largest, although it appears that the assumption of secure email is already pervasive. But it’s time to start protecting users from their own tendency to choose bad passwords. It's time to start building passwordless products.