Page 1 of 2
Alternatives to passwords
Posted: Wed Aug 05, 2009 9:53 am
by matthijs
So, do any of you follow the latest developments considering authentication possibilities on the web? What's the progress on open id (or similar)? Or what about iris scans or something?
I really, really cannot wait to have an alternative to trying to manage literally hundreds and hundreds of username/email/password combo's. Most of them I just write down, or I let my browser remember them. But it's all a big mess. Some passwords are important enough not to write down, some have to be changed by policy once in a while, sometimes I can pick my own un/pw (easy, I pick the same as always), sometimes something random is generated, etc etc
Re: Alternatives to passwords
Posted: Wed Aug 05, 2009 9:58 am
by onion2k
OAuth with a service like Twitter is pretty good, likewise Facebook Connect (which I'm seeing a lot of lately). OpenID is a pain to implement but quite effective once it's done. Any biometric solution won't work on a website - too few people will have the capability. Lovely on an intranet though.
Re: Alternatives to passwords
Posted: Wed Aug 05, 2009 3:15 pm
by Jonah Bron
How about like Yahoo where you upload an image?
Re: Alternatives to passwords
Posted: Thu Aug 06, 2009 8:59 am
by jackpf
Wasn't that just to make sure you weren't being phished?
Re: Alternatives to passwords
Posted: Thu Aug 06, 2009 9:09 am
by superdezign
Uploading an image sounds more costly to the webmaster. Plus, a password is more in your head than on your hard drive. If you had your password sitting around on your hard drive, then your password would be more vulnerable.
Re: Alternatives to passwords
Posted: Thu Aug 06, 2009 10:52 am
by jayshields
Correct me if I'm wrong about the device, but I had a go with my mates Android phone the other week, and that had an intuitive password thing on it. You have to swipe your finger over 9 (?) buttons in a particular order to unlock the device.
Re: Alternatives to passwords
Posted: Thu Aug 06, 2009 10:56 am
by Jonah Bron
Good point. Good point. Plus, I think it is used in unison with a password anyway.
jayshields:
Yeah, I saw that on the T-Mobile website. Pretty cool. The only drawback is that very few people have touch screen computers.

So sad.
I'm still thinking...
Re: Alternatives to passwords
Posted: Thu Aug 06, 2009 12:40 pm
by superdezign
Jonah Bron wrote:The only drawback is that very few people have touch screen computers.
We all have mouses though. If we made our passwords a series of swipes and clicks, that would be... Amazing. o.o
Although, it may run into the problems that we have with passwords, these days. Websites forcing you to build your password to their standards of capitalization, numbers, and special characters is annoying. We'll have a required amount of clicks and twirls. :3
Re: Alternatives to passwords
Posted: Fri Aug 07, 2009 3:05 am
by onion2k
superdezign wrote:Jonah Bron wrote:The only drawback is that very few people have touch screen computers.
We all have mouses though. If we made our passwords a series of swipes and clicks, that would be... Amazing. o.o
For you perhaps, but what about for a disabled user? Or someone who's just rubbish at using a mouse? Or someone who uses a mouse in the office, and a trackpad when they're out at a client's office?
Anything based on dexterity won't work.
Re: Alternatives to passwords
Posted: Fri Aug 07, 2009 5:22 am
by m4rw3r
From what I recall, there is a way of identifying a person by the way they enter the text via their keyboard.
So they give the user a password + an arbitrary string to type, then measure the way they type (delays between different words and characters etc.) and then compare that to the saved data.
Re: Alternatives to passwords
Posted: Fri Aug 07, 2009 5:28 am
by onion2k
m4rw3r wrote:From what I recall, there is a way of identifying a person by the way they enter the text via their keyboard.
So they give the user a password + an arbitrary string to type, then measure the way they type (delays between different words and characters etc.) and then compare that to the saved data.
Again, based on dexterity. What if you break your arm and can't type normally? What if you're on a train that's moving around? What if there's an emergency and you're panicking? What if someone installs a keylogger that records the time between keystrokes?
Recall (remembering your password, picking out which image you uploaded) or recall+cognition (what are the first, second and last letters of your password) are the only viable options for a web based login.
Re: Alternatives to passwords
Posted: Fri Aug 07, 2009 5:42 am
by m4rw3r
Yeah, it is really hard to come up with an alternative to the password, as almost everything can be imitated / recorded.
Re: Alternatives to passwords
Posted: Fri Aug 07, 2009 6:03 am
by jayshields
onion2k wrote:Again, based on dexterity. What if you break your arm and can't type normally? What if you're on a train that's moving around? What if there's an emergency and you're panicking? What if someone installs a keylogger that records the time between keystrokes?
I don't like it when people bring up arguments like this. What if you have no vocal cords and no arms or legs? You've got to draw the line somewhere. If you can't type properly you shouldn't really be allowed to log in to secure websites (what happens if someone who can't type properly logs into their bank account online and wants to transfer money - oops wrong account number?).
Re: Alternatives to passwords
Posted: Fri Aug 07, 2009 6:20 am
by matthijs
In general, there will always be a need for passwords. I agree that working with biometrics is still future talk until iris scanners are as small as a cell phone and can be dragged around easily
The problem is not so much that I need a password. The problem is that I have around 264 of them
I also believe that there will never be a single method to authenticate. That should also not be forced. Someone mentioned "what if you can't type?". Well, that happens more often then you think. From an accessibility aspect, a blind person or other disabled person not using a keyboard should be able to login just as well.
But, if it would be just possible to reduce the amounts of passwords needed, it would be such a relieve. Maybe openId or something. However, I have looked into openId, and even for me as a developer it's difficult to understand how it works. So I don't see how the general non-tech population is going to use understand and use that
I will take a look at Oauth
Re: Alternatives to passwords
Posted: Fri Aug 07, 2009 6:27 am
by onion2k
jayshields wrote:I don't like it when people bring up arguments like this.
What? Logical ones?
jayshields wrote:What if you have no vocal cords and no arms or legs?
That's a reductio ad absurdum argument though. You can take any line of reasoning to a ridiculous extreme; that doesn't tell you anything or give you anything useful. You have to look at all the useful cases
up to a point. When it comes to accessibility that's "blind people" or "deaf people" rather than "blind, deaf, mute people with no arms".