Just give it up – websites shouldn’t be managing passwords!

The last month might have been a stepping stone towards the end of internet identity as we know it today. In just a few weeks we saw passwords hacked from Linkedin, Yahoo, tech news website Techradar, dating site eHarmony, as well as other popular sites such as AndroidForums and Last.fm. Millions of passwords were compromised, and the real problem is that the same passwords are used for our email, facebook and Amazon.

A lot have been written on what can be done to solve this, and three approaches were prominent. The first is the old “blame the users” approach. Users use passwords that are easy to break, and even worse, they use the same easy-to-break password in multiple websites. The moment people will stop doing that, the problem will be not be as bad. After all, hackers don’t break into Last.fm because they want to listen to music. This is all true, but things will have to get much worse for people to change their habits and impose on themselves a complex array of different, hard to break, passwords. It’s true that there are services such as 1password and Lastpass that can help you with that (I use it myself), but they don’t work on all devices.

The second approach is to demand better security from websites. It is true that many online services that store passwords don’t do it securely enough, and open the door for hackers. There are probably improvements to be made, but it is unlikely that every internet forum will reach the necessary security level.

The third, more forward looking approach, is seeking to replace passwords with better authentication means. As you could see this week in the Washington Post, these methods are starting to mature. From tokens to biometrics to facial recognition, there are better ways to authenticate in a way hackers find difficult to break. Putting aside possible faults (e.g. a simple photo can gain you access with some facial recognition apps), these ideas are good, but they are only part of the necessary evolution of internet identity.

What is really happening is that identity becomes too complex to be managed independently by each website. The proliferation of user accounts, mobile devices and security threats makes the current state unsustainable, for both users and services. Digital identity must therefore go in the way of the digital payments. No online service will consider handling payments on its own, without a payment service provider – It’s just too complicated and insecure. The same applies for identity – a few years from now no online service will think of handling identities without using identity providers. These providers will ensure both security and ease of sign-up/sign-in for the service, as well as convenient, secure identity management  for the user. They will also be able to develop and integrate the right authentication methods, be it mobile PINs, biometric or any other.

This is not a futuristic vision – In the US and the UK there is work in progress to bring this new identity ecosystem to life. Organizations such as the OIX and Kantara initiative are working to create the rules according to which identity providers will operate. It’s a new and exciting space, that aims to make our digital transactions easier and more secure.