The Latest Alternatives to Passwords

​Most of us use some version of a password or PIN to access our devices, accounts and personal information in a myriad of situations: smartphones, laptops, tablets, ATMs, social media accounts, email accounts, financial accounts, store accounts, the list goes on. Managing all those PINs and passwords is inconvenient, often frustrating, and, worst of all, it isn’t very effective at keeping our information safe from identity theft and fraud.

Passwords have two main problems: First, they aren’t that secure. A recent study showed that a majority of hacks are accomplished by taking advantage of weak or guessable passwords. Second, passwords are too susceptible to being stolen through data breaches, digital surveillance, or phishing scams. Because of these problems, password-only authentication is going the way of the dinosaurs. The tech industry is coming up with lots of new ways we can protect ourselves, and you can and should take advantage of them now.

The key to strong security is what experts call “multi-factor authentication,” security that confirms your identity by checking two or more different factors: a combination of something you know, something you have, and/or something you are. Things you know can include your password or PIN or the answer to a security question. Things you have can be a device, key card, microchip, or a USB or RSA security token (a small device that functions as a digital key). “Something you are” is generally confirmed through biometric technology such as fingerprint, voice, or facial recognition, retinal scanning, or your typing patterns, but it can also include other data, such as your location when logging in.

You already use two-factor authentication when you go to an ATM: you supply your bank card (something you have) along with your PIN (something you know). You’ve also probably used multi-factor authentication online. For example, when purchasing apps or music, the vendor recognizes your device and you supply a password or touch ID to confirm your transaction.

Stolen passwords cause problems for businesses as well as consumers, so many businesses—especially financial institutions—are moving to multi-factor authentication. You have likely experienced this when you log into an online account and must also input a code sent to your smartphone as an SMS message. Today this often requires users opt-in, so if you have the option, take it! It’s a lot safer than passwords alone, although it does require you to keep your devices safe from loss, theft, and accidental erasure.

Someday soon, multi-factor authentication may become a requirement and not a choice, and that also has privacy implications that we’ll talk about in a future article. (For example, many of us would think twice about having a microchip implanted.)

For now, until all your accounts offer multi-factor authentication, at least stick to these basics:

• Never reuse passwords across multiple sites.
• Get a password manager.
• For members of IDX use our Password Detective, located in your personal dashboard, to verify if your current or proposed password has been compromised on the Dark Web.
• And if you do find your email address or one of your passwords in a list of hacked data such as at haveIbeenpwned, change those passwords immediately (which will be easier if you have a password manager).

There’s no perfect solution to digital security, and even biometrics have their limitations, but the more barriers you can put in a criminal’s way, the more likely they are to give up and bother someone else.