Beyond Passwords
Badri Sunderarajan

To me the problem is that even with short-duration single-use passwords, they are still either static or generated using some mechanism that could be replicated. This means that the creation of the password is effectively out of the user’s control once it has been generated — no matter how long it is valid for.

What’s needed is a dynamic password that is single-use but generated out of something the user is or knows, preferably a combination — and cannot be second-guessed by hacking a program, database or algorithm.

As an example, your mood affects biometric data like the tone & pitch of your voice, even the tone of your skin — so if the unique biometric features of these types of measurements were combined with one or more pieces of knowledge that only the user knew (or could imagine) a highly personalised signature (password) could be created with enough embedded markers to authenticate the person. Each element would have to be within a predefined range so that all the elements combined to create a valid password.

It would be like walking up to the sentry at the city gates, saying the password of the day, showing your face for him to recognise, and telling him the same joke you told him last Friday. A combination of three pieces of information that nobody else could use. Because you got all three right, he lets you in, but if you get one or more wrong he doesn’t let you in.