Since their inception during the Kennedy administration, passwords have served as both protection and a source of frustration for users, particularly on a multiuser computer system developed at MIT. The leader of that groundbreaking project has more recently referred to passwords as “kind of a nightmare,” reflecting the growing concerns over their security and usability.
It’s evident why this sentiment exists; hackers can easily compromise passwords, potentially exposing not just individual accounts but also the private information of millions. Users are often urged to create distinct passwords for each of their accounts to mitigate the risk of such breaches, but the reality is that remembering numerous complex passwords can be overwhelmingly challenging. Consequently, the world’s most common password is an alarmingly simple “123456,” which is not just easy to remember but equally easy for cybercriminals to guess.
Mayank Varia, an associate professor in BU’s Faculty of Computing & Data Sciences, builds upon this context by discussing the evolution of security measures. A recent article published by Vox suggests that we might be approaching “a world without passwords,” largely due to the introduction of passkeys—encrypted codes that can be securely stored on devices or within password managers. These passkeys allow users to authenticate themselves on websites and applications through biometrics like fingerprints, PINs, or facial recognition, boasting resistance against phishing attacks and unauthorized access.
The growing list of major websites supporting passkeys includes giants like Amazon, Best Buy, Google, and Walmart. However, many of these platforms still maintain a traditional password option as a fallback for users who may misplace or forget their passkeys. When asked whether passwords are destined for extinction, Varia emphasizes, “Security, just like life, is all about trade-offs.” He explains that the crux of the matter lies in finding a balance between convenience and security, highlighting that passkeys offer a promising avenue amid a spectrum of options available to users.
As a researcher in cryptography, Varia plays a crucial role in the United Nations Privacy-Preserving Techniques Task Team, which advocates for robust laws and policies concerning cryptography and confidential data management. His expertise offers valuable insight into the evolving landscape of digital security.
This interview has been edited for brevity and clarity.
Q&A
With Mayank Varia
BU Today: Do you think passwords will become obsolete in our lifetime?
Varia: I suppose it’s possible, but I’ll note the goal of passkeys, like the goal of many innovations [for] authenticating yourself: they don’t necessarily eliminate passwords. They aim to reduce the number of passwords a user must remember because our capacity for recalling complex, alphanumeric strings is inherently limited. Commonly, passkeys are implemented on mobile devices, which might still require a password for access. This means managing one password for your phone instead of the multitude needed for countless websites.
BU Today: Do you expect passkeys to become the dominant alternative?
Varia: It’s hard to project, but passkeys do appear to be a notably convenient solution, garnering significant support from groups like the FIDO (Fast IDentity Online) Alliance. It’s conceivable that they could become a prevalent option in conjunction with passwords.
BU Today: Apparently that’s not convenient enough, since we’re having this conversation about passkeys.
Varia: That’s right. While password managers provide a well-designed solution, they require installation and integrate friction into the user experience. A nearly universal truth in computer security is that any additional steps significantly hinder adoption rates, dropping from 80-90 percent to as low as 5-10 percent.
BU Today: Are there any downsides to passkeys?
Varia: There are two primary downsides, both relatively minor. One concern is that if a user lends their phone to another individual, that person may gain access to the user’s accounts, an unintended consequence of sharing devices. The second issue revolves around privacy and legal matters; a world without traditional passwords could heighten risks of coercion in situations where law enforcement requests access to information. In some cases, individuals might be compelled to unlock their devices through biometrics, raising complex legal questions about personal security and law enforcement’s reach.
In Massachusetts, for instance, court rulings have established that authorities can compel individuals to provide passwords, though the legal landscape regarding this issue remains ambiguous across various jurisdictions.
What are the key benefits of using passkeys over traditional passwords?
The trend seems promising. Many major platforms are adopting passkeys, signaling a shift towards more convenient and secure authentication methods. However, the transition will take time, as not everyone is familiar with or trusts new technologies. Education and awareness will play a critical role in this process. Users must be made comfortable with passkeys and understand how they function before they can fully replace traditional passwords.
BU Today: What are some common misconceptions about passkeys?
Varia: One common misconception is that passkeys are infallible and will completely eliminate all security risks. While they do offer greater protection against certain attacks, like phishing, they are not invulnerable. Additionally, some people believe that moving to passkeys means completely disconnecting from all familiarity with passwords, which isn’t necessarily the case. Many systems will still have the option for passwords available, at least for the foreseeable future, which highlights that while we’re moving forward, it’s not a total departure from what we previously understood as secure access.
BU Today: Beyond passkeys, what do you think is the future of digital security?
Varia: The future of digital security will likely involve a mix of technological solutions, improved user education, and a deeper understanding of privacy concerns. We have to remember that no single solution will solve all problems. Instead, it’s about creating a more comprehensive security ecosystem that includes regulatory measures, better encryption practices, and ongoing development in secure technologies to protect users effectively. As we transition towards a world increasingly dependent on digital interactions, staying ahead of potential threats is crucial.
This interview has been edited for brevity and clarity.