Tired of Remembering All Those Passwords? Help May Be in Sight
Tired of Remembering All Those Passwords? Help May Be in Sight
Passkeys enable us to live with far fewer, BU cryptography expert says
Passwords have protected—and perplexed—people since they were invented during the Kennedy administration for a multiuser computer at MIT. The leader of that long-ago project more recently called passwords “kind of a nightmare.”
It doesn’t take a PhD in computer science to know why. Hackers can heist passwords, compromising your accounts, or in some cases, those of millions of people. We’re told to create many different passwords to limit that threat, but remembering them all is daunting. That’s why the world’s most common password (easy to remember—and to hack) is “123456.”
A story recently published in Vox asserts that “a world without passwords is in sight” thanks to passkeys: encrypted codes, stored on a device or password manager, that allow a user to log into websites and apps by using their fingerprint, a PIN, or facial recognition. They are impervious, passkey developers say, to phishers and cannot be stolen.
The list of major websites that support passkeys ranges from Amazon to Best Buy to Google to Walmart, though many keep a password as a backup if users lose track of their passkey.
BU Today asked Mayank Varia, an associate professor in BU’s Faculty of Computing & Data Sciences, whether passwords are bound for the way of the brontosaurus. “Security, just like life, is all about trade-offs,” he says. “The question is, what is the convenience-versus-security trade-off? And there’s a whole spectrum of options there, and I think [a passkey] is a reasonable choice within those options.”
Varia researches cryptography and serves on the United Nations Privacy-Preserving Techniques Task Team, which promotes laws and policies regarding cryptography and protected data analysis.
This interview has been edited for brevity and clarity.
Q&A
With Mayank Varia
BU Today: Do you think passwords will become obsolete in our lifetime?
Varia: I suppose it’s possible, but I’ll note the goal of passkeys, like the goal of many innovations [for] authenticating yourself: they don’t necessarily get rid of passwords. They try to lower the number of passwords that you have to remember, because humans have limited capacity to remember strange, alphanumeric strings.
For example, common instantiation of passkeys is on your phone. That phone might still itself have a password to log into it. That’s one password, as opposed to 250 different websites that you visit [requiring] a different password. So I wouldn’t call it eliminating passwords, but concentrating more on the things that you use most frequently.
A lot of websites are thinking through the many ways to allow you access. Many, especially shopping websites, will offer a choice: you can either type in your username and password, or they’ll send a link to your email account, and if you click on this link, it’ll auto-log you in. Either you have to remember the website to [their] company, or you have to remember your password to your own email account.
BU Today: Do you expect passkeys to become the dominant alternative?
Varia: It’s hard to project. But they do seem to be a particularly convenient approach, and they have a lot of backers, like a [tech] industry coalition group, the FIDO [Fast IDentity Online] Alliance. Maybe [they’re on the way to] becoming a widespread thing that’s used in addition to [passwords].
[Some people] have been using password managers: you install a piece of software on your computer and then you have to remember one strong password, the one to log in to the password manager. Then, it will generate strong passwords for you and auto-populate them, perhaps, into the websites you visit.
BU Today: Apparently that’s not convenient enough, since we’re having this conversation about passkeys.
Varia: That’s right. It’s a well-designed solution, but it introduces friction—you have to install this stuff. And an almost universal truth in computer security is, any friction takes your adoption rate from 80, 90 percent to 5, 10 percent.
BU Today: Are there any downsides to passkeys?
Varia: The main downsides are twofold, and they’re both pretty minor. I might have some reason that I temporarily give you access to my phone. Maybe people give access to other members of their family. Now they can log in to websites as you, which was not a part of sharing your phone that you were thinking about.
The second issue is, a world where there are no passwords can potentially increase the risk of being compelled to do things against your will. One thing—and this is a niche concern, but it’s one that I’ve written about—is questions involving law enforcement and whether they can compel you to put your thumb on the phone and unlock it for them. In many jurisdictions, the answer is yes. Things that are in your mind are typically the things we assign the highest protections. If someone [asks], Did you commit the crime, you can’t be compelled to [answer]. Putting your thumb on a device has a much lower barrier legally. Theoretically, if you have a passkey, it’s easier for law enforcement to get at your information.
In Massachusetts, our Supreme Judicial Court has ruled that the police can even compel you to type in the password to devices. But that’s not true nationwide, and nationwide, it’s a giant question mark still to be determined.
Comments & Discussion
Boston University moderates comments to facilitate an informed, substantive, civil conversation. Abusive, profane, self-promotional, misleading, incoherent or off-topic comments will be rejected. Moderators are staffed during regular business hours (EST) and can only accept comments written in English. Statistics or facts must include a citation or a link to the citation.