Lens:Status

Passwords

Hopefully this will finally get rid of passwords.

The World Wide Web Consortium said on Tuesday that Google, Microsoft, and Mozilla are currently working to incorporate the new WebAuthn standard into their browsers. This will enable web-based biometric authentication without the need for additional software.

Apps or secure key based 2FA are more secure than SMS based.

Password was such a nuisance invention. Even the convention or practice around it has been flawed, but companies continue to follow the old practices blindly in the name of security – here are some examples:

Security
Convoluted password requirements doesn’t make passwords more secure and NIST revised their guidelines to not expire password, not put combination restrictions.


A lot of password rules are there simply ?because we?ve always done it that way.? NIST aims to fix that, and here?s how.

We?ve all been forced to do it: create a password with at least so many characters, so many numbers, so many special characters, and maybe an uppercase letter. Guess what? The guy who invented these standards nearly 15 years ago now admits that they?re basically useless. He is also very sorry.

A vast majority of the trusted tips and tricks we employ when crafting a custom password actually make us more vulnerable to hackers, according to the expert who popularized the tips back in 2003. I...

Usability
Masking the password is another stupid practice companies continue to engage in. Especially on mobile phones, it makes no sense to mask the passwords – in fact it deteriorates the usability.

Usability suffers when users type in passwords and the only feedback they get is a row of bullets. Typically, masking passwords doesn't even increase security, but it does cost you business due to login failures.

LukeW Ideation + Design provides resources for mobile and Web product design and strategy including presentations, workshops, articles, books and more on usability, interaction design and visual design.

1 Comment

  1. ravikiran

    Came across Zoho One Auth app over the weekend, a great implementation. It is one step ahead of implementing Google authenticator, as that requires to input a code. Zoho allows user to pick between SMS or Biometric. Google’s app sign in with a notification prompt is good implementation. CapitalOne similarly has SwiftId, which didn’t work great initially and I switched out of it.

    https://www.zoho.com/accounts/oneauth.html

    https://support.google.com/accounts/answer/7026266?co=GENIE.Platform%3DiOS&hl=en

    https://www.capitalone.com/applications/identity-protection/swiftid/

    A great article on Mobile Logins in China

    https://www.nngroup.com/articles/mobile-login-china/

Leave a Reply

%d bloggers like this: