Like you, I want freedom, I want control of my life… and I like passwords.
They give me the freedom to use what only I know, independent of what I am or what I have. I can change my password often, and to the extent that no one can guess what I use as my password, I have a familiar sense of security.
Also like you, I hate passwords, the way we must use them these days.
I dislike having to remember many long and complex passwords. I also dislike the fact that the password I use is transferred to the server, and that attackers can potentially find it and take over my account. I am uncomfortable with the possibility that people might see when I type the password, or that I might type a password into a website which turns out to be an attacker’s look-alike site. I also don’t like that attackers can use brute force attacks to break my password.
I dislike the fact that the password must be long. Granted, a 6- or even 8-digit password is OK for me to remember, but any more than that is annoying. I can probably memorize one or two passwords, but entering a long password is a hassle; especially when I’m not using a keyboard I’m used to.
You might have guessed where I am going with this. I think a password — what you know — is a very good factor to use for authentication, but only if the system is designed in a way that I, the user, don’t have to put in personal effort to compensate for a flawed IT system design.
The good news is that the IT industry has somewhat solved this problem. The new hot authentication factor is a personal identification number (PIN), and IT thinkers have made it clear that a PIN is not a password.
Maybe it’s good to distinguish them clearly with names like that, even if in most aspects related to user experience a PIN is like a password: something you know and type in.
If you search the web “how is a PIN different from a password?”, you will find:
“Like a password, a Personal Information Number (PIN) allows you to prove that you’re you, so that no one else can access your data. The obvious difference is that a PIN is limited to numerical digits (0-9), while a password can contain numerical digits, upper- and lowercase letters, and punctuation” — Posted by Citrusbits on June 15, 2016.
Just a few years later, this view of PINs in the IT world is obsolete. The statement below, from Microsoft, is more accurate today:
“One important difference between a password and a Hello PIN is that the PIN is tied to the specific device on which it was set up. That PIN is useless to anyone without that specific hardware. Someone who steals your password can sign in to your account from anywhere, but if they steal your PIN, they’d have to steal your physical device too!”
The passwordless authentication movement has given us the following approach to PIN use as an authentication factor.
- The “physical device” — the authentication device — limits the entering of the PIN. Even though the PIN is 6 or 8 digits long, a prospective attacker can only try to enter it, say, 3 to 5 times, after which the device won’t let the attacker try any more.
- The “authentication device” is used to perform the authentication with the various remote servers. Modern solutions use asymmetric key cryptography, so that the authentication devices can exchange different keys with different servers, and even with one server they will not use the same data each time. Asymmetric key cryptography allows the authentication over the network to be highly secure, while at the same time the user just needs to remember one PIN.
Things can get even better. Knowing that the server or the websites never need to know (and should never know) your PIN ensures you avoid exposure. Note this is a layer above normal security, because having your PIN compromised won’t do you any harm unless the device is compromised as well. Note that you should still change your PIN periodically, or when you suspect it of exposure.
Another note: I also don’t appreciate the uncertainty that comes with simple biometrics, for instance swiping one’s fingers a few times while the device still complains it can’t read them. Just entering a 6-digit PIN is more acceptable from my point of view.
My point is, even when working with what we call passwordless authentication, I like using a password — or should I say a PIN. It’s what you know, and it is a valuable factor which can make it much harder for attackers to attack you.
I like using a PIN, as long as it is a maximum of 8 characters, easy to enter (no special characters, they make typing a PIN on the phone’s limited keyboard difficult), and I only have to remember one PIN. I promise to change it now and then, and to never write it down on a sticky note.