In this day and age, its extremely irritating to me that so much of what we do online is tied to passwords. Not only are they an extremely bad form of authentication (short strings of text, even if encrypted, are pretty easy to break), the websites which require them force you to add numbers and symbols and bizarre capitalization – making them all the harder to memorize (see XKCD comic below), and oftentimes force you to change them on a regular basis. Then, to recover the password when you inevitably forget it, websites impose extremely poorly thought out questions like “what is your mother’s middle name” or “where did you grow up” to prove that you are who you say you are – when a quick search online is likely to dig up that sort of information.
The ideal solution would be something that doesn’t send passwords over the wire (it can still use passwords to authenticate, but at the bare minimum you shouldn’t be sending short encrypted strings), can use multiple factors (generally, its MUCH harder to crack two or more forms of authentication simultaneously than just one), supports easier and painless means of authentication (like biometrics or entering a numeric PIN on your specific smartphone), and can support and trigger multiple tiers of authentication (i.e., if you’re wiring $10 versus wiring $10,000, you should be forced to authenticate at different levels for those two transactions).
Luckily, a company called Nok Nok Labs (of which the firm I work for is a proud investor) is working with an industry consortium of some of the biggest names online (including Google and PayPal) and in hardware (including Lenovo and Infineon) called the Fido Alliance to build just such a system and get it supported by as many websites and devices as possible.
However, the nirvana of the password-less internet that Nok Nok is trying to build will take time to realize – so in the meantime, what I’ll settle for is asking websites to allow users to specify their challenge response questions. That way the user can specify a question who’s answer is trivially simple for them to remember (i.e. an inside joke, a childhood secret, etc.) but extremely difficult for someone else to uncover. A few websites do manage to do this – and to each of you, I thank you – but the simple truth is many don’t and that leaves me both unsecure and annoyed.