Earlier this week, we had a random unseasonably warm day here in eastern Massachusetts. Having lived here as long as I have, I’m not surprised by weird weather fluctuations. After all, when I was in college it snowed one year on move-out day in the spring which happens two-thirds of the way through May. Still, I wanted to capitalize on the temporarily nice weather and so I decided to do two things that I can’t usually do in mid-February: take a walk around the neighborhood and use my smoker to make dinner for us.

My walk was an unabashed success after initially overestimating the temperature and circling back to pick up a light jacket. I even got to chat with my neighbor about the upcoming Super Bowl, which we both agreed is interesting only insofar as it’s the Super Bowl; neither of us had any interest in the outcome. We ended up chatting long enough that I realized I was running behind schedule to fire up the smoker and excused myself.

Now just to be clear, I do not possess one of those smokers that requires a steady hand and skill to operate. Mine is the kind of smoker one buys when you enjoy the flavor of campfire or wood-smoked cooking but have absolutely no culinary talent. It’s a wood-pellet convection smoker with digital temperature control and (perhaps most embarrassingly) built-in WiFi. Accordingly, I can just stick a temperature probe in whatever I’m cooking and watch it come up to temperature on my phone. If I’m not paying close enough attention, it will send an alert to my watch that the food is done. It removes pretty much all the guesswork (and skill) from the cooking process, which is perfect for someone like me.

While I love the app feature, for some reason it requires you to log in to the app in order to monitor your grill. Last year this wasn’t a problem as once I initially set it up, I stayed logged in. However, this year it had somehow logged me out and required me to enter my username and password to get back into the app. Cue the record scratch noise. I don’t remember either of those things, and it wasn’t stored in my password manager app. Suddenly, my dinner plans rested on my ability to remember a password that that had little business existing.

Like you, I have dozens ( possibly well over 200) different services that require me to login to them. From high value systems like my financial and investing institutions to things as inconsequential as the grill monitoring app, there’s very little I can accomplish without logging in. Of course, I adhere ardently to not using the same password for multiple sites, so remembering everything is impossible. I have mitigated this with a password manager, but in many ways that’s just mitigating a larger problem: that passwords themselves may have outlived their usefulness.

The question begs to be asked: in 2022, why are we still using passwords as our primary means of authentication? How is it possible that something that was popularized around the middle of the last century is still the dominant means that we can identify that we are who we say we are? Can we really not do better than this?

Passwords are not convenient. As I mentioned above, needing to remember, rotate, and repeatedly type passwords correctly is anything but a good user experience. I need no less than 8 passwords to balance my checkbook, which is something that I do every week. Let’s do a quick survey. How many times have you typed your password wrong enough times to get locked out, or have a website force you into the hell that is Captcha to slow you down and make sure you aren’t a bot attempting to do a brute-force attack?

Did you ever consider that the controls we have around preventing brute-force attacks is because they have a strong likelihood of succeeding? Isn’t the very existence of things like Captcha a stunning condemnation of passwords? If you have to rely on stopping a robot from guessing every possible combination of eight characters to keep your data safe by using a function like Captcha that relies on you finding miniscule items from a poorly pixelated picture, you’re probably not doing it right.

Passwords are not secure. I shouldn’t have to write this, but the data we have is very clear that most people are using passwords that are easily guessable, and even more are using passwords that aren’t strong enough and so they can be cracked almost immediately via a dictionary attack. Even if someone picks a strong password, overwhelmingly they reuse them for multiple sites and applications. As cyber-attacks continue to escalate around the world, we need to make sure that we’re making things as hard as possible for bad actors, and relying on “Kitties87!” isn’t going to cut it anymore.

Look, I will grant that passwords are easy to implement. Getting your application to accept, store, and use a password for authentication requires minimal creativity. The problem as I see it is that that as we sit here in the second decade of the 21st century, the excuse that passwords are easy is hard to swallow when we have applications that do things like present a realistic virtual reality environment that allows me to have a real-time meeting with people from all around the world. I have a pretty good feeling that a development team that can pull off that application can come up with something better than storing a password in a text table.

Even MFA - which I am an unabashed proponent of - is simply trying to make up for the shortcomings of passwords. Think about it: if we really trusted a password, why would we need to have a separate mechanism to ensure that the entity in question is the individual authorized to use that password? So while I love MFA, I think it’s merely a stopgap measure until we move wholesale to something else, perhaps something smarter.

With the advent of consumable AI, we are at a point where the systems we are logging into should be able to make some judgement calls about the risk of our logins. I mentioned above that I reconcile my checkbook and accounts every week. I almost always do this on Friday evenings, and I do it from a table in my living room. I should be able to do that with some lightweight authentication, because it matches a very clearly defined pattern. However, if I (or someone else) attempts to access these same accounts from Russia, that same website or application should dial up the need for authentication considerably.

Third party authentication with social applications like Google, LinkedIn, or Facebook can solve some of these issues. In some cases, they do support a more modern authentication experience, but almost inevitably they require you to divulge a ton of information about yourself to the application in question. As much as I like my little smoker, I have no interest in sharing a bunch of my personal information with its manufacturer so there is still a need for an independent authentication mechanism between two parties without an intermediary or broker.

The encouraging thing is that there has been some recent progress on popularizing passwordless authentication options. I’m a big believer in this. Microsoft does a great job in most applications when you use a Microsoft account. Once you’re authenticated on a device, and if nothing seems to be weird or amiss, they simply provide you a number that you enter into your phone and you’re in. It’s almost frictionless and isn’t prone to errors. Using your phone is something I really believe in as a means of authentication. When almost everyone is walking around with a smartphone with biometrics and is a heck of a lot less likely to lose it than to forget a password – or have it compromised - we need to be rethinking how we ensure that someone is who they say they are.

Hardware tokens are certainly one way to do this and as I mentioned, people know almost immediately if they misplace their phone lessening he likelihood that one can be stolen and used without the owner noticing. Of course, the gap here is if people do not have a phone capable of holding a certificate or other mechanism of authentication. A universal digital key (like a USB fob) is feasible, and can be done relatively inexpensively on a small scale, but rolling that kind of technology out to everyone is unlikely to be widely successful.

I have had conversations with several people who think that government has a role to play in this. After all, if smart IDs were universally distributed the government could act as that identity broker much like they do in the physical world with passports. Of course, I may not want the government to know which smoker I happened to buy – especially if I bought it over the state line where I didn’t pay sales tax on it. (If you happen to be visiting from the Massachusetts Department of Revenue: Welcome to the blog, and don’t worry – I claim the Safe Harbor use tax amount every year on my Form 1.) In general, I’m pessimistic that a universal government authentication scheme is feasible, especially given many people’s general distrust of the government.

Still, I think we have an opportunity in the next few years to be pushing options to get away from using passwords. While I’ve not generally been impressed with society’s ability to shed legacy processes or thinking, I’m hopeful that with the onslaught of cyber risk as well as people’s dependence on so many different ecommerce vendors and applications, there will be real pressure to make the simple act of ensuring you are logged in properly to be less onerous and yet still secure.

Chances are, if you’re reading this blog you are one of the people who can make this happen. My advice to you is to start thinking about how you’d introduce and socialize this concept in your companies and get your business leaders thinking about the benefits for both internal and customer-accessible systems. After all, it seems to me that making login to your digital properties easier would be a competitive advantage. If you are a bank and you can guarantee me that my money is more secure and make it impossible for me to forget my credentials, I’m probably a happier customer. I think that’s what passwordless authentication can do for us: make users and customers happier while protecting us from much of the intrusion risk we’re all so worried about.

And don’t worry - I was able to reset my password and got my smoker fired up in plenty of time to get the salmon, chicken, and beef in there for dinner, so not only was it a success - we also have plenty of protein for the rest of the week.  Of course I have no idea what I reset it to, so next time I get logged out I guess I’m back where I started. Unless the folks at Pit Boss think the same way I do and give me a better option.

Questions for reflection:

• How many passwords do you have to get through a normal month? Do you remember them all?

• Have you ever forgotten a password and had to give up ever getting into that account again? How did that make you feel as a customer?

• If you could use your phone as your “key” to get into applications, would you? Why or why not?