The Future of Authentication: Usability
The first week of class this semester I was eating lunch with some friends. One of them asked me what classes I would take this semester. At the mention of “Usable Privacy and Security,” he further questioned what that entailed. The first example I could think of came from our first reading which resonated with me: passwords as they exist in their current form are not intuitive. Skeptical, he wanted to know what the future of authentication would be. I emphasized biometric, 2 factor, and location based methods as just some of the potential means to make the conventional password obsolete. Still not buying it, he brought up various scenarios such as a 2 factor device (USB key, phone, etc.) being stolen, and a password still providing yet another layer of protection.
Even the most optimistic must admit that we may not be ready to drop passwords just yet. However, all of the technology I mentioned above as well as others do exist in some form. The problem is that as they stand right now, they are not the most intuitive. Security then becomes a hassle for the user and the technologies miss out on greater adoption. Certainly things have improved over the years since their inception, but I will highlight such frustrations with the use of 2 factor push notifications.
In such a system, when one wants to log in to a given computer, they must first pull out their phone, unlock it, view the notification, and hit accept. It may seem as if I dramatize the burden of this process, but hear me out. It is a frustrating interruption for the user with other resultant problems as well. Your phone is dead? Tough luck. Better start charging. New phone? Better remember where you saved those backup keys (if you did). In a rush because your time ticket slot just opened and you forgot to check “Remember Device for 7 Days” last time you signed in? That class you wanted is full now. I’m not bitter…
After class today, I spoke with a fellow student who stated that Duo, a popular 2FA app, now sends these notifications directly to his Apple Watch when he attempts to sign in. He can accept the request from his watch, and doesn’t need to bother completing the standard process. This certainly does not solve all of the above problems, but it does save the user from having to walk across the room if their phone isn’t immediately beside them. This much faster process I believe will greatly increase adoption of reception of such technologies along with further advancements. I imagine one possibility being an auto-unlock based on recognizing the user via heart rate and other metrics.
I imagine a further extension of this feature could be for the watch to automatically accept such requests when it recognizes the user via heart rate and other metrics. Thus, the entire 2FA process only creates a minor delay in time during the login process. I believe such a system would rapidly increase the adoption of such methods of security.
Thus, it has come for the HCI-minded to take the reigns. I do look forward to the day passwords are no longer used in the same sense they are today. Inelegant, vulnerable, and user-unfriendly, they are a means to an end for the present time. But, it is clear to me that this will not be the sole job of security experts to handle: unusable systems may have brilliant cores, but they will still be forgotten.