by John Kuczala WSJ
The password to my Twitter TWTR +1.29% account, which has been mine since 2007 and through which I have published more than 51,000 tweets, is “christophermims.” Knowing that won’t help you hack it, however. In fact, I’m publishing my password to make a point: The password is finally dying, if we want it to.
Before I outline why I’m so confident about the irrelevance of the password that I’m willing to give mine away, let’s talk about what is already succeeding them, at least on a trial basis, on Google’s corporate campus: device-based authentication.
Google is working on an as-yet unnamed protocol that allows you to connect to your online accounts on any device by authenticating yourself with your smartphone. This could be a code sent to you, or even a “smart ring.” In June, Google showed off one version of this scheme, in which a user’s laptop can be unlocked by the mere presence of his or her smartphone. It might seem foolish to replace an authentication token that you keep in your head (a password) with one you keep in your pocket (like a phone) but consider: The former can be obtained by hackers, and the latter you can shut down the moment it goes missing.
If you have either an iPhone or a newer Samsung phone running Android, it’s simple to lock your phone remotely, even wipe it. So even if a thief gets his hands on the skeleton key to your accounts, you can disable it easily. Plus, your phone is itself locked (or should be) with a PIN code or even a fingerprint sensor.
If you want to sample the early version of a post-password future, all you have to do is switch on a common security feature of every major Web service. It’s available across all the Web giants, including every account offered by Google, Yahoo, YHOO +1.43%Microsoft, MSFT +0.97% Facebook, FB +2.26% Twitter and dozens of others, and yet surveys suggest more than half the public hasn’t heard of it. It’s called two-factor authentication. And if you have ever taken money out of your bank account at an ATM, you’ve already experienced it.
Passwords are a uniquely terrible kind of single-factor authentication, in which the one factor identifying you as you is the password itself. If you’ve heard that longer, more complicated passwords are better than short ones, that’s only a little bit true…