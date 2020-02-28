Do you hate remembering passwords? Soon, you may be able to forget them for good.

For years, we’ve relied on a secret we share with a computer to prove we are who we say we are. But passwords are easily compromised through a phishing scam or malware, data breach or some simple social engineering. Once in the wrong hands, these flimsy strings of characters can be used to impersonate us all over the internet.

Slowly, we're kicking the password habit. With data breaches costing billions, the pressure is on to find more foolproof ways to verify someone's identity.

“We are moving into a world which we’re calling passwordless, which is the ability for our applications, devices and computers to recognize us by something other than the old-fashioned password,” says Wolfgang Goerlich, advisory chief information security officer for Cisco-owned security firm Duo.

Newer forms of identification are harder to imitate: something we are (such as the contours of our face or the ridges of our thumb) or something we have (physical objects such as security keys).

Intuit, for example, lets users sign into its mobile apps with a fingerprint or facial recognition or their phone’s passcode instead of a password. Your fingerprint or screen lock can access some Google services on Pixel and Android 7+ devices.

Goerlich estimates that within five years, we could be logging into most of our online accounts the same way we unlock our phones. And then we will be able to finally break up with passwords for good.

What will replace them? That's a bit more complicated.

Any system that depends on a single factor isn't secure enough, according to Vijay Balasubramaniyan, CEO of Pindrop, a voice authentication and security company. Biometric information such as an iris scan or a fingerprint can be stolen, too, and you can't change those.

Balasubramaniyan predicts several pieces of information will be used to verify identity. Machines will analyze our speech patterns or scan our fingerprints. We’ll also be identified by something we have (our mobile devices, computers, key cards, fobs or tokens) and something we do (our movements and location, our behavior and habits, even how we type).

One of the major proponents of a passwordless future is the FIDO Alliance, which stands for Fast Identity Online. The consortium includes industry heavyweights including Apple, Google and Microsoft.

If that seems more invasive than sharing some random bits of knowledge such as our mother’s maiden name or a PIN number, it is. But Balasubramaniyan argues these trade-offs are necessary to shield our personal information in a hyper-connected world.

“It’s going to be scary,” he says, but, “it’s time for consumers to demand a higher level of privacy and security.”

Password overload

Secret words to tell friend from foe have been around since ancient times and, in the early days of the internet, they made a lot of sense.

We started out with just a handful of passwords to access our email, a few e-commerce sites, maybe an online subscription or two. But soon, we were transferring our entire existence into the cloud, storing our medical and financial information, photos of our kids and our innermost musings there.

And every time we clicked a link or downloaded an app, we had to come up with another password. As even more devices connected to the internet, from home surveillance systems to thermostats, we hit password overload.

Today, people have an average of 85 passwords to keep track of, according to password manager LastPass. Our brains just aren’t wired to squirrel away unique passwords for so many online accounts. So we reuse and share them. We jot them down on Post-Its or in Word documents. We sign in with Facebook or Google. We shell out a few bucks for a digital password manager.