The Quest to Replace Passwords
An interactive version of Bonneau et al.'s S&P 2012 paper.
On the Internet, no one knows who you are until you establish your identity. This is authentication, and the oldest method is by providing a secret phrase upon sign-in that only you know, a password.
There have been decades of technological growth since the early Internet. The entire world's knowledge is now at our fingertips, we can communicate with friends and family worldwide, and social influencers reach audiences of millions. But passwords haven't changed. At the end of the day, every person from young to old, novice to expert, needs to remember passwords as a basic skill for using the Internet. Why can't we do better?
Challengers exist: for example, password managers reduce the number of different words that need to be memorized and possibly improve password quality. To name a few others, people use biometric authentication, one-time email links, and physical tokens.
However, every alternative approach has at least one downside. Password managers demand inconvenient backup codes, one-time links require email access, and physical tokens get lost.
Each row of the table consists of a single authentication scheme that aims to replace or supplement passwords. They are grouped into broad categories. The authors of the source paper, as domain experts within their fields, qualitatively evaluate each of the properties that these schemes offer the end user, and their 25 criteria are shown in the columns of the table.
Note that the benefits of each scheme cannot simply be added up numerically, as some matter more than others contextually. As a qualitative evaluation, it has no direct numeric counterpart.
What next? Well, there's no one true solution to all of our authentication concerns. At least, the next time someone sings the praises of their favorite password replacement, you can link them here and give them far more information about benefits and drawbacks than they ever wanted. 😄