Passwords, says Twitter senior product manager Michael Ducker, “just suck”.
The Verge quotes him:
I go to dinner parties and people say, 'Oh, you work in tech? Can you get rid of the password?'
I get it. It’s so hard to remember the tediously huge mountain of passwords we need for all our accounts that many of us wind up reusing them (to disastrous effect, since a thief who gets his hands on one can then get into all our accounts), coming up with easily guessed passwords, or having to rely on a kludgy password manager program.
And even when we do fabricate some gorgeous, byzantine, high-entropy masterpiece, thieves are constantly cracking open databases to pry them out or trying to phish them away.
Beyond all that, as Ducker found out on a trip to Brazil, Indonesia and India to find out how people around the world use mobile devices, there’s another side to the problem: namely, the email addresses that Twitter requires people to create an account with.
In fact, in many countries, potential Tweeters don’t have an email address to use to sign up for an account, his team found.
That is why, as the company announced on Wednesday at Flight, its first developer conference in four years, Twitter is unveiling a suite of developer tools aimed at remaking mobile applications and yes, getting rid of both 1) the password, for what Ducker said is “the vast majority of use cases”, and 2) the need for an email address when signing up for an account.
The kill-the-password part of its new suite that will affect consumers the most is called Digits.
Developers will soon be able to use Digits to sign up users to their apps.
Signing into Twitter’s new passwordless world – reportedly similar to signing on to WhatsApp or Yo – will be a four-step process:
- We’ll see a login screen with an option to sign up via mobile device.
- Next, there’ll be a screen to enter a phone number.
- Twitter will send a one-time confirmation code via SMS.
- We’ll enter that confirmation code into another screen.
Because the confirmation code is a one-time password, users will go through those steps to get a fresh password each time they sign in.
The introduction of Digits came a few hours after Google announced its Security Key: another password-killer that relies on a USB drive to generate one-time passcodes.
Passwords: are they done? Can we stick a fork in them?
Will you miss them when they’re gone?