What is the future of passwords on the Internet?

Taus Noor
49 replies
Where do you see passwords in the future? Do you think passwords will always be around? Or are we headed to a fully passwordless Internet/world? Bonus question: what kind of biometric auth do you feel most comfortable with? Full disclosure: I'm working on a product related to passwordless auth.

Replies

David Oh
As soon as we have a legal and regulatory framework that's not demanding for startups to follow and transparency with this process, I'm okay with any biometric authentication, as long as everyone follows the same rules. Such rules can be such as, 1) only hashes of the biometric data can be captured at any time so that we cannot ever have 'stolen' biometric data, 2) the hashing method itself much be random 3) to prove this, after a company reaches a specific size (10 million rev or 10,000 users), they must submit to random sampling inspections of their database and the codebase that pertains to the bio-authentication scheme. 4) the authentication systems themselves, whether fingerprint, palm, or retina, facial, cannot at a hardware-level capture the full features but only partials. This would be similar to PCI complliance.
Taus Noor
@davidoh This is awesome. FIDO might be trying to do something along these lines, not quite sure. You should definitely check them out!
girish wadhwani
@davidoh Most biometrics only capture partial features and store a "biometric hash". Even access to the hash is often protected by using a secure chip. Databases of biometrics are a no-no. They are a single point of attack and a very valuable target. Instead, biometrics are better stored on the client device (like a smartphone). This is a (much harder) distributed target. This is how FIDO works.
David Oh
@girish_w I know what the ideal is. That’s why I use my iPhone regularly with no doubts. I was talking about the api based system mentioned here. If biometrics are going to be used by everyone, it stands to reason many engineers will make the same mistakes again. Like at Facebook, when they stored passwords in plain text. And what seems to actually be the case with the majority of successful services we use, according to 1Password and password checkup on chrome. What was your point?
Aaron O'Leary
Good question! I think in the immediate future it might be Fast or something like it. But in the long term I could see face ID being widely adopted, every laptop and phone has a front facing camera so it makes sense and wouldn't be surprised if thats the route Apple push with Face ID. A face ID SDK would be awesome.
Aaron O'Leary
Furthermore to this I think Fast started the conversation on this but I believe passwords in the long run will take a dramatic pivot from where Fast is right now.
Taus Noor
@aaronoleary Apple/other large companies actually rarely use front camera for face ID -- in fact that's something my team and I working on. Liveness detection using a regular front camera is still a difficult problem (esp if you want a good UX). Apple did patent Face ID for laptops though -- so we can expect to see the same Face ID sensors from an iPhone on the MacBook at some point.
Junior Owolabi
No password, Everything about us is being tracked already, so realtime profiles of us will determine who is accessing the website.
chandan kumar
Fignerprint sensor is a very good example, I have been using it on MacBook Air and its very good
Vincent Offredo
It would be interesting to think about a decentralized identity. Each user is the sole manager of his identity, which is logical! With a decentralized identity, the user could connect to any service that recognizes / validates this type of identification. With a decentralized identity, we can go further than the future of the password
Taus Noor
@vincent__off Would love to learn more about this. Would you be willing to connect over a call to discuss this?
Senuka Rathnayake
Ready to check out as soon as your product launches. And talking about the future of passwords, obviously the world will be a passwordless world where people don't have to remember different passwords. Setting up passwords is honestly one of the most irritating things when it comes to signing up on different websites etc.
Taus Noor
@senuka_rathnayake That is precisely our frustration. If you subscribe to our upcoming page on PH, we can definitely provide you with early access. We are working out a sweet deal for early subscribers too--which should also be announced soon. Here's the link: https://gaze.ai/ph Our mission is to eliminate irritating passwords.
Tarek Dajani
I don't know what other options are available, maybe fingerprint? I have no idea. From my end, I hate passwords, I always forget them. The question is will your product be working on all websites that need passwords?
Taus Noor
@tdajani That is the idea, yes. We are just launching our Beta soon on PH -- and it works on more or less any device (with or without biometric sensors). Excited to share more soon.
Adrian Pradilla Portoles
I think it will be a two step authentication retina/face and password validation on the mobile or other device with the fingerprint
Taus Noor
@adrian_pradilla_portoles Do you think this will be the norm across all services we use or just specifically stuff that are more sensitive (like payments, etc.)? Having to enter a password and biometric could be inconvenient for users, so would love to learn more about your thoughts on this.
ALC
When I research the identity part. I found that the most challenge is not security, but the economy around it. The authentication mechanism these days requires a lot of infrastructure. You need an internet connection (minimum is 1 USD of internet/month), a device that is not considered deprecated by the standard (ex. you can't even use the app if your android does not at least version 6), a common sense of a user (ex. aging people do not know how to use IT, younger people doesn't care enough about it). With only these factors, it already prevents more than half of people in the world to use the service.
Taus Noor
@anugoon_leelaphattarakij This is an interesting point -- how do you think we can solve that?
Melissa Kwan
I look forward to a passwordless internet world. Not remembering my passwords (given the number of different requirements companies require) and not being able to figure out password managers is the reason why I haven't moved to a new computer for the past 2 years. Nothing more frustrating than being locked out of an account because you can't remember the answer to your own secret question from high school, then being on hold for an hour so customer service to reset it. It's also the reason why I hate switching to new phones. I would love to see facial recognition work with all logins, not just phone apps. Whatever you're doing, please hurry.
Taus Noor
@melissa_kwan I know, right? We actually enable passwordless re-authentication on new device as well. We're providing our service as an API for developers, however -- so not targeted to consumers directly yet. Do subscribe to our upcoming page if you're interested: https://gaze.ai/ph
Satyajit Manjaria
Hey, Yeah. I do think passwordless is going to be future. I myself have implemented in the SaaS product I am building. I believe it does add a layer of convenience and security for the end-user. For now, we have been using cotter.app is working very well for us. It provides magic links over mail, OTP via WhatsApp & SMS and biometric support. I hope this helps.
MO
@satyajit_manjaria Awesome! Could you share your Cotter implementation with us please? Excited to see it in action.
Asif Hassan
@satyajit_manjaria This is good insights, Satyajit! Sounds like you will prefer your machine knows your password 100% of the time!
Richard Blake
Is it possible to make all websites use Retina sensor?
Taus Noor
@livedrawhksgp Not sure about retina alone - but definitely possible to have all websites use some form of biometrics
Tedel
I will quite likely stick to using passwords for the rest of my life. I do not trust anything biometric for two reasons: It is something you cannot share in an emergency (e.g. Sister! Someone just stole my mobile! Please, log into my account and change the password!); and it is something that may be used as a motivation to keep you close. For example, if you are ever unlucky enough to be kidnapped, and all you passcodes are biometric, they will not release you until you have unlocked for them everything they want.
Arseniy
WEEEK for iOS
@simplytedel definitely agree with the first point, the second is more nuanced and there's a whole debate to be had about it
Taus Noor
@simplytedel Sharing in an emergency is a very interesting point. However, if you use biometric as your password -- stealing your phone should not give anyone access to anything really, right? Since they'd still you to actually log in or do anything?
Arseniy
WEEEK for iOS
Passwords are a good memory exercise. Biometrics can be uncomfortable, and ID photos you obviously only trust to very few institutions.
Peter Bartnik
The decentralized identity market has certainly been busy. Gartner's 2020 Market Guide to User Authentication provides a good overview of the passwordless market and the major players. For a detailed description of the challenges and one leading vendor's take, try this report from HYPR: https://www.hypr.com/wp-content/... The big challenge for new entrants is how to break down the walls of the enterprise solution providers access and authentication stacks and not be relegated to point solutions status.
Mads Schmidt Petersen
Cool. Password less, biometric less, lots of places to go. I'm working on a product in this space too. Good luck!
Taus Noor
@madsschmidtpetersen Oh wow would love to learn more. Would you be open to a call at some point?
--
Passwords will soon be a matter of history
Angga Murjana
Aku berdoa semoga proyek kamu berjalan lancar
Fahim Al Wasi
Ironic how the future of passwords might be "password-less".
Mushahid Shamim
What is the probability of false prediction if every internet user in the globe use GazePass? What is the accuracy of Liveness detection? If I manage my webcam to input the recorded video of someone's account I want to hack how your system would act? Can I use this service in online payment service! If it authenticate a wrong user by any mistake who will take the responsibility? These questions resides around my mind when back then I used to think of this kind of service in action. Also it seems a vertical problem, so why big tech giants are not incorporating it in their services?
Taus Noor
@mushahid2521 Great question. We actually won't let you log in to someone else's account from your device just using face recognition -- so even if you get a webcam recording, it won't help. Email OTP verification is needed alongside face recognition to access someone's gazepass account on a new/different device. As for the rest -- subscribe and stay tuned! https://gaze.ai/ph