Passwords, says Twitter senior product manager Michael Ducker, “just suck”.
The Verge quotes him:
I go to dinner parties and people say, 'Oh, you work in tech? Can you get rid of the password?'
I get it. It’s so hard to remember the tediously huge mountain of passwords we need for all our accounts that many of us wind up reusing them (to disastrous effect, since a thief who gets his hands on one can then get into all our accounts), coming up with easily guessed passwords, or having to rely on a kludgy password manager program.
And even when we do fabricate some gorgeous, byzantine, high-entropy masterpiece, thieves are constantly cracking open databases to pry them out or trying to phish them away.
Beyond all that, as Ducker found out on a trip to Brazil, Indonesia and India to find out how people around the world use mobile devices, there’s another side to the problem: namely, the email addresses that Twitter requires people to create an account with.
In fact, in many countries, potential Tweeters don’t have an email address to use to sign up for an account, his team found.
That is why, as the company announced on Wednesday at Flight, its first developer conference in four years, Twitter is unveiling a suite of developer tools aimed at remaking mobile applications and yes, getting rid of both 1) the password, for what Ducker said is “the vast majority of use cases”, and 2) the need for an email address when signing up for an account.
The kill-the-password part of its new suite that will affect consumers the most is called Digits.
Developers will soon be able to use Digits to sign up users to their apps.
Signing into Twitter’s new passwordless world – reportedly similar to signing on to WhatsApp or Yo – will be a four-step process:
- We’ll see a login screen with an option to sign up via mobile device.
- Next, there’ll be a screen to enter a phone number.
- Twitter will send a one-time confirmation code via SMS.
- We’ll enter that confirmation code into another screen.
Because the confirmation code is a one-time password, users will go through those steps to get a fresh password each time they sign in.
The introduction of Digits came a few hours after Google announced its Security Key: another password-killer that relies on a USB drive to generate one-time passcodes.
Passwords: are they done? Can we stick a fork in them?
Will you miss them when they’re gone?
Passwords is what we know. A phone is something that (likely) we have.
If somebody steals our phone, (s)he can impersonate is if no password is needed (and phone not locked, I know… ). Or if the phone is lost how do we regain access to the account?
It sounds like a good idea for some possible scenarios, but in general combining something that we have AND something that we know (and not or) seems to be better.
P.S.: I personally do not like the third possibility for 2FA, what we are (biometrics basically). We can change a password or replace a phone (or just the sim), but usually it is more difficult to change ourselves. For example, if we want a service to forget about us, how can we do if they have a copy of our fingerprint, iris, etc?
rakso75 wrote “Or if the phone is lost how do we regain access to the account?”
Umm, call the telco, get the SIM and IMSI cancelled, get a new phone and a new SIM assigned to the old phone number, and you’re good to go.
I’m pretty sure this system isn’t just tied to the phone number… because if it is, there are ways to spoof phone numbers, and so the system is inherently flawed.
More likely, it is using the phone’s UUID, which is based off of an internal serial number, sometimes the SIM code, and a few other identifiers.
So getting a new phone with the old number won’t get you back into your account, as the UUID won’t match so the token you get via SMS won’t work.
That’s if I’m understanding this correctly; otherwise, all an attacker has to do is call the telco, get the SIM and IMSI cancelled, get a new phone and a new SIM assigned to the old phone number, and THEY are good to go.
But at this point, I’m guessing.
The benefit of this system over traditional password solutions is that all the security secrets are pushed down to the end user to protect. So a password is still needed, but now it’s the password to your phone. Online attacks of databases won’t reveal anything with this technique (although online database modifications could give everyone the same “one time” code, which would crack the security wide open).
Or try to be more careful with your phone to begin with. Put a lock on it, and get a belt case for it that is secured to your body, and secures the phone well in the the case. If you’re a woman with a dress, I’ve seen really small purses that are designed for phones.
I’ve seen students put their loose phone in their pocket, or leave it in the break room UNATTENDED for hours. Some people make a call, and sit it down (because they don’t have a secure place to put it) and walk off without.
We have wandering minds in this society, and for this to work, people are going to have to be a little more aware of what they’re doing. I know that’s not the culprit in every case, but I’d say a great number of phone theft is due to carelessness.
Yep, so simple that anyone could do it… to your account.
This is just not a good solution, for all the reasons listed and more.
No phone/dead battery/can’t find phone, no login.
No wireless service where you are, or service outage, or forgot to pay wireless bill, no login.
Phone stolen or SIM card cloned, thieves can login as you.
Biometrics aren’t a magical panacea, either. The biometric data still has to be broken down to a digital thumbprint of some kind. Thumbprint stolen/compromised, thieves can login as you, and you can never–ever–use that biometric vector to login to anything safely again.
Passwords are going to be with us for a long time.
got no signal? Got no passcode…
Excellent point!!
Personally I spend almost half a year in locations without cellular service…
If you have no signal, you’re going to have a hard time accessing those online services using this system….
Wi-Fi, but no GSM / LTE?
there be one time codes most likely you can use if the app is on your phone you should not need to keep trying to sign every time any way if your using your phone
A good idea for some websites, but not for social media like Twitter and Facebook. If a user wants to enter Twitter, he don’t want to wait for the one-time password. Imagine, a user wants to go to Twitter, put in his phonenumber, wait a while then the sms comes in, he grabs his phone (out of his sleeve or other kind of cover), must first open the lock on the phone, then open the incomming messages to open the one-time password. Then he enters the password (probaly a lot of digits) in the form (not to slow, because the phone locks again) and finaly see the tweets. This is not user friendly.
Making tech stuff user-friendly is largely our problem. People don’t have to learn NEARLY as much about computers today as 15-20 years ago, and so are far more ignorant in how they work as a whole.
I use two-step verification of my FB – I am not bothered by it. Takes the code all but 30 or less seconds to get to my phone.
People want everything quick quick quick, and I highly doubt this would take longer than five minutes, if that. That really isn’t a long time… people think it’s a long time and that it’s inconvenient because they’re spoiled.
How are so many passwords stolen? A STRONG password is not user-friendly and takes a longer time to enter. People don’t want to wait for anything, and that’s part of the problem and a really nice advantage for thieves. Simple as that.
For what it’s worth, I wish more services would use something like “Google Authenticator” or “Duo Mobile” or another similar choice when looking at two-factor authentication with a mobile device. Soft tokens on a cell phone are a great option for many, but not everyone has free text messaging, and 20c a shot to sign into something is not going to be readily accepted.
I think the best option is to give the user choices. I would want true two-factor authentication, as suggested by rakso75 above. I want to know my own password and have a one-time password via mobile — both. Many others would want alternative choices that shave a bit off security but add to convenience — and that’s okay.
It’s not a one-size-fits-all world, so developers should not try to engineer it as such if they want happy customers and high adoption rates.
G
None of the SMS two-factor authentication I’ve used requires you to *send* anything, only to receive messages. On my prepaid phone I can do that with a zero balance.
The mobile provider requires me to “do something, anything, that incurs a charge”, such sending an SMS, once every three months to keep my number alive. After that it might get recycled (or it might not). So the financial overhead is negligible. About 10c every quarter, if I never make any calls (which I do).
Unless you pay to receive messages, of course, which sounds weird to me. Or is that a North American thing?
(The network provider benefits from SIM cards with no balance, because it can charge people to send me messages or to call me…revenue that would otherwise be lost.)
Sadly, yes. In the USA it is extremely common to be charged for sending AND receiving text messages. If you do not have a prepaid package of text messages, it is usually $0.10 per message sent or received. Most popular voice packages now include unlimited text messages, however.
And what happens for those millions without a mobile phone? No mobile, no access – not even from your home computer!
Badly thought through methinks.
This sounds much to kludgey for my taste. In addition to the objections noted above, I don’t want to have to rely on any third party whose business model revolves around advertising, tracking and privacy invasion for authentication.
Damn straight.