Friday, April 01, 2011

The end of passwords

After more than 9 years of research on passwords, there is no doubt anymore: we should get rid of them. No, not by implementing any so-called alternatives such as biometrics or 2-factor token authentication. Be smart, use a blank password on your account. It's much easier, we can downsize customer support with at least 50%, it's completely free and every CFO will be ecstatic. Who would ever think that you would be so stupid to not use any passwords at all? Based on this, I will discontinue my research into passwords, as it is neither fun, interesting or useful anymore.

Oh. And happy Aprils Fools Day everyone, have a fantastic weekend, and I'll probably see many of you at #passwords11. :-)


  1. It's not really beneficial to think of "2-factor token authentication" is an alternative to "a password".
    It's important to think in terms of authenticators. A password is one type of authenticator, nothing more, nothing less.
    The usual "2-factor token authentication" often consists of a PIN/password (factor 1: something you know) and a token code (generated by factor 2: something you have).

  2. I have yet to see a RL environment where 2-factor authentication uses something better than a static 4-digit PIN code as one the authenticators used.

    Adding a second authenticator to the chain shouldn't automatically allow for the weakening of the first authenticator, as we're seeing everywhere. With the recent rumors surrounding RSA as well, that very first authenticator suddenly became important again.

    But of course, you are correct, and I'll stand corrected. :-)


All comments will be moderated, primarily for spam. You are welcome to disagree with my posts of course.