Please let’s finally kill logins and passwords

How would you feel if you had been told in the early days of the Web that in the year 2018 you would still need logins and passwords for damned near everything.

Your faith in the tech world would be deeply shaken, no?

And what if you had been told that in 2018 logins and passwords would now be required for all kinds of other shit, from applications on mobile devices to subscription services on TV?

Or worse, that in 2018 you would be rob-logged-out of sites and services frequently, whether you were just there or not, for security purposes — and that logging back in would often require “two factor” authentication, meaning you have to do even more work to log in to something, and that (also for security purposes) every password you use would not only have be different, but impossible for any human to remember, especially when average connected human now has hundreds of login/password combinations, many of which change constantly?

Would you not imagine this to be a dystopian hell?

Welcome to now, folks. Our frog is so fully boiled that it looks like Brunswick stew.

Can we please fix this?

Please, please, please, tech world: move getting rid of logins and passwords to the top of your punch list, ahead of AI, ML, IoT, 5G, smart dust, driverless cars and going to Mars.

Your home planet thanks you.

[Addendum…] Early responses to this post suggest that I’m talking about fixing the problem at the superficial level of effects. So, to clarify, logins and passwords are an effect, and not a cause of anything other than inconvenience and annoyance. The causes are design and tech choices made long ago—choices that can be changed.

Not only that, but many people have been working on solving the identity side of this thing for many years. In fact we’re about to have our 27th Internet Identity Workshop in October at the Computer History Museum. If you want to work on this with other people who are doing the same, register here.


8 responses to “Please let’s finally kill logins and passwords”

  1. Please tell us how. Designing a replacement for username/passwords isn’t as easy as it seems. People understand shared secrets (vs less understood asymmetric encryption), and they’re easily transportable between machines so you have at least some hope if you lose your laptop.

    One helpful mitigation would be to generally get more comfortable with delegating authentication. Right now it’s to a small set of silos, but maybe Indieauth will help with that. It’s at least platform-neutral.

    I’d love to see an http-auth method based on asymmetric encryption (like ssh keys), but it would take a bunch of standards work and browser extensions to make a reality. And it still wouldn’t solve the ease-of-transportability problem.

  2. Stephanie Schweighofer-Jones Avatar
    Stephanie Schweighofer-Jones

    AMEN to everything you wrote…….

    One Example of the problem (not that any of us need one really):

    I am grateful for fingerprint recognition as it does simplify a little BUT it doesn’t carry over from one device to another with any consistency, and because it’s maybe primarily used for one of my devices, when using a different device I forget the password (or even where I’ve “hidden” it) so have to change it AGAIN everywhere….

    I could bitch all day long about this stuff…. and examples abound…. ugh

  3. Until this gets fixed, my life is so much easier with a password manager. It creates a unique & long password for each site/service I use. I only have to remember the master password. A password manager is a good interim way to deal with this problem.

  4. Thanks, Harold. Which password manager do you use? Also, does it work on all your devices, browsers and apps?

    I use one that drives me crazy, but I don’t want to crap on them here. I’ll own being part of the problem too. Still some of these are bound to be better than others.

  5. Thanks for writing this. And a followup concern, the anti-pattern of initially hiding the password field that so many sites do now. So the workflow is now:

    1. Type username
    2. Hit submit (didn’t need to before)
    3. Type password into new field that appeared
    4. Hit submit, again.

    Google, Atlassian, Microsoft, even Tumblr are doing this now. In 2018, they managed to add an entirely extra step to the login process.

  6. The report additionally highlighted that:

    1. Passwords are no longer sufficient alone to protect accounts
    2. Fraud is pervasive and the impacts are high
    3. Multi-layer authentication is standard practice for augmenting password security
    4. Use of behavioural biometrics is poised to grow dramatically
    5. Majority of companies will be using two-factor authentication within the next 12 months
    In order to counteract fraud and address the problem of account vulnerability, companies are using multiple layers of authentication. “After username and password protection, the most common technologies implemented are knowledge-based authentication, CAPTCHA and two-factor authentication,” the report said.

  7. My first experience with the Internet was at a University Library, where I downloaded Slackware Linux for the first time via Anonymous FTP. The Internet has become something altogether of a different order now, some 25 years later, as multitudes of entitites have been scrambling to monetize every aspect possible.

    After installing GNU/Linux I could not have been happier about it: no more faux multitasking: even on my primitive laptop I could run five or six different processes, and print while writing a letter and compiling some application on other virtual terminals. Night and Day. I continued to maintain GNU/Linux for years by Anonymous FTP. I was just a researcher who could not afford to purchase a text editor’s full version, to edit a free form lexical data base in a language with diacritical characters, and I learned that I could do so on GNU/Emacs.

    All this aside, Anonymous FTP was the ticket. The thing about Anonymous FTP is the request to log in using your email address as a password. I don’t know about you, but I thought that was fine. Transparency was not a problem. IN FACT, this was one of the reasons I was so taken by the Internet: here was a community of users, developers, programmers, and researchers who respected one another. Participation seemed to me, in my naievity, to be a bond, an agreement to play by an implied set of standards.

    I don’t know when I first encountered passwords outside the Anonymous FTP realm. It wasn’t so hard, but often seemed unnecessary. Until everyone jumped on the bandwagon of commoditization. We are far down that slippery slope by now. Who’d have predicted the levels to which commercially-minded have stooped. It seemed to start with the industrial sabotage that was described by Richard Stallman, when those who shared were now bent toward the beck and call of money, to sign non-disclosure agreements. My friends are wont to turn away when I mention my disdain for micro$soft, apple, and the other now hugely successful programs to monetize the personal computer, buying and dominating the world at large with unnecessary dependence through DRM.

    I don’t understand how it will be possible, but I am highly encouraged by the call of this post to break the reliance on passwords for every little transaction in the Internet (dread…) Economy. Allow me to attach the following, an email from an old friend a couple of years ago:

    “I get periodic notices from Google + about something you have posted.
    Is this for real? At work I stay logged on to two different networks
    for which the entry permission expires every twenty minutes or so, and
    for each one, each time this lapses, I have to put in my username and
    password twice (not counting errors). As a result I spend many of my
    conscious moments every day entering and reentering user names and
    passwords. This has become one of my principal occupations. I am not
    exaggerating. An insect could do about 20% of what I do each day–I
    mean that a well trained insect should be able to type out usernames and
    passwords. So I see something like Google + and all I think is, Oh god,
    another user name and password. And for what? Are you really an
    enthusiastic user, or did you just get sucked in to joining up and now
    some marketing algorithm is sending me little enticements to check up on
    some shards of your past posts? Anyway, if you are really on Google +
    and like that as a way of communicating, I’ll sign in. Just checking.”

    1. Thanks, Alan. Your report calls to mind the old Joni Mitchell line (from “Big Yellow Taxi”)” “The paved paradise and put up a parking lot.” The corollary here might be, “They paved paradise and put up a … what the hell is that? And why do you need logins and passwords for every damn thing?”

      It’s gonna take work to fix it, but I’m sure we can, because we can fix everything that’s broken, eventually.

Leave a Reply

Your email address will not be published. Required fields are marked *