A petition by a group of Silicon Valley startups to get digital service providers to move to “passwordless” authentication sends a dangerous message, according to Ontario’s privacy commissioner.
Ann Cavoukian, whose Privacy by Design model has been adopted by institutions worldwide, has no objection to new technologies to authenticate users on systems. But it’s not an either-or proposition.
“You’ve got to make this user-centric,” she said Tuesday, and most users are currently in a password-controlled regime. “You can’t just have a ban on passwords.”
News of the Petition Against Passwords, scheduled to go live Wednesday, July 24, was leaked to tech media last week. Three identity companies — NokNok Labs, Clef and LaunchKey — and consumer advocacy group TechFreedom created the petition.
The group argues that users choose passwords that are too weak so they can remember them, that password policies aren’t enforced and that security holes regularly expose stored user passwords.
Cavoukian wondered aloud if the petition is simply a media gimmick. “Why do they have a petition? Who are they petitioning?” she asked.
Cavoukian said she supports new authentication technologies, but that doesn’t mean throwing out passwords.
“I love innovation,” she said. “I hate zero-sum propositions … give me a multiplicity of options.”
Her biggest fear is that the message will erode security.
“The last thing I want is for people to think, ‘Oh, I don’t need a password anymore, I can just log on to the system,” she said. “No. Absolutely not.”
She points out that more than half of smart phones, which are regularly lost or stolen, aren’t password protected. “We want to ramp up security, not ramp it down.”
Authentication must be multi-pronged, accessible and user-centric, Cavoukian said, and “that, in my view, is still passwords.”
She’s all for combining password authentication with other technologies, and said the nature and sensitivity of the application would contribute to the authentication method.
A better approach than getting rid of passwords is to teach users how to create strong passwords that are easy to remember. The trick she uses: Pick a password that is the same word in two different languages — she uses English and Armenian — and put a number in between. That will thwart common dictionary attacks, but still be easy to remember.
A CSO Online reader dismissed the petition as a marketing ploy. “I’m starting a petition to reduce gravity. Think how much easier everything would be if gravity was around 60% of what it is now,” the reader commented. “The ‘end password’ petition is just as stupid. What exactly will replace it, and who exactly will pay for it? Go figure that the whole thing is being pushed by some two-factor solution vendor (big surprise, eh).”