There has been a lot of talk recently about getting rid of passwords as a means of user identification. I can certainly understand why this opinion exists, especially with the ever-increasing number of data breaches being reported each year. It’s true that we users make all kinds of mistakes when choosing, protecting and employing passwords. We choose easy to guess passwords, we use the same passwords for business access and for our personnel accounts, we write our passwords down and store them in accessible places, we reveal our passwords during phishing attacks, we reuse our old passwords as often as we can and we exploit every weakness configured into the system password policy. Even users who are very careful with their passwords have lapses sometimes. And these weaknesses are not going to change; humans will continue to mess up and all the training in the world will not solve the problem. However, even knowing this, organizations and systems still rely on passwords as the primary factor necessary for system access.
The real problem exists in identity management itself. There are four good factors (in my opinion) that can be used to identify individuals: something you know, something you have, something you are and somewhere you are. When you ask a user to identify themselves by password and to identify a picture or answer a question they have previously chosen, that is not multi-factor authentication. That is just using two different instances of the same factor in order to identify a user. This doesn’t add very much real security.
Better security comes when you add a true additional factor, such as something you have. This could be a bank card for example. When you go to an ATM, insert your bank card and type in your PIN, that is a true form of dual-factor authentication, and this increases security considerably. However, as we have all heard about or seen on the news, this kind of dual-factor authentication can also be overcome. Some people write their PIN on the back of their card, or on a slip of paper they keep with them, so that if their purse or wallet is stolen their bank identity is stolen as well. Such dual-factor authentication can even be physically dangerous at times as many people have been beaten into revealing their PINs or passwords. Other examples of identification mechanisms you might “have” are hard or soft tokens or PIV cards.
You can also have dual-factor or even triple-factor authentication using something you have, something you are (i.e. biometrics) and/or somewhere you are. This is basically what people advocating getting rid of passwords are proposing; let’s take the “what you know” human factor out of the loop.
But I say, why limit yourself? Let’s keep “something you know” in play. Identity and access control are such big problems, why not use every factor that you can? Every factor you add increases your true level of security by a large degree. People will complain about the lack of convenience and the expense in time and money that this entails. But, hey, everybody should know by now that real information security is both difficult and a pain in the neck! We need to just bite the bullet and do it right or suffer the consequences.