A trio of former Pomona College students are declaring war on the password, and they’re enlisting consumers to put pressure on technology companies to adopt a more secure log-in process.
Brennen Byrne, Mark Hudnall and Jesse Pollak through their start-up Clef launched Petition Against Passwords on Wednesday. Though it’s already being viewed as a toothless publicity stunt, industry experts said the initiative should help consumers start to come to grips with a future in which the password isn’t at the foundation of logging into websites.
Passwords can easily be cracked and they’re being stolen by hackers daily through email phishing attacks, computer viruses and snooping over shoulders.
Although some cybersecurity experts have called on people to create smarter passwords or use password managers, surveys have found low adoption of these techniques and tools. Clef and dozens of other companies and academics are developing new ways to sign in. Possibilities include apps, USB keys, brainwave scanners, pills, tattoos and fingerprint scanners.
Clef’s particular solution is a smartphone app that uses the device’s camera to match an animated bar code on the phone to one displayed on a computer screen. The crew developed the idea while studying passwords at Pomona.
Byrne and Hudnall just graduated with bachelor's degrees in computer science. Pollak left after his sophomore year to continue working on Clef. One of the company's advisors is Michelle Dennedy, the chief privacy officer at McAfee Security.
Byrne, the 21-year-old chief executive of the San Francisco start-up, said Clef was designed to make the process simple so that customers would understand it and feel safe with it. But now Clef and others who are rallying against passwords want these new ideas to reach consumers. Sites are more likely to move beyond passwords if customers demand it.
“The initiative is about helping getting these solutions onto more sites, to make something other than passwords the standard, even if it’s not our specific tool,” Byrne said. “Every site that implements Mozilla Persona, for instance, helps all of us.”
Persona allows a user to sign into websites using just an email address and a behind-the-scenes signal from a browser to a website that the email is verified.
Lloyd Hilaiel, Mozilla’s engineering director, said the service's goal is to quickly shrink the number of passwords. Long-term, Mozilla plans to support additional innovation.
"Petition Against Passwords offers an interesting vision of such innovation and we look forward to seeing how it develops,” Hilaiel said.
LaunchKey is another smartphone-based log-in service similar to Clef. It’s expected to start appearing on websites later this year. LaunchKey Chief Executive Geoff Sanders said he hoped the petition would draw in frustrated Internet users and send them off feeling much more optimistic.
“Part of the point of the petition is to catch everyone up on the solutions out there and what they can look like,” he said. “They're not only easy to use, but also more secure.”
Altimeter Group technology analyst Chris Silva said a new technology won’t become commonplace until something as inventive as the iPhone appears from a major tech company.
“The minute it looks complicated, users say I’m out,” he said. “Learning how to do something new is too painful.”
Major companies are indeed trying to come up with the iPhone-like solution. The Fast IDentity Online Alliance, or FIDO, plans to unveil technical specifications this year that enable a fingerprint scanner, a PIN and other technologies to verify a user’s identity. Google has said it plans to unveil a device using those specifications that, once stuck into a USB port, could be used to log users into websites. Google and PayPal are among the major companies backing the open, multi-device-compatible technology.
“If this problem is to be solved, it has to be solved by the entire industry working together,” said Ramesh Kesanupalli, chief alliances officer for Nok Nok Labs, a FIDO member that helps websites install new log-in measures.
The alliance hasn't endorsed the petition. Still, he said signing the petition would show technology providers that consumers want a solution. Groups such as FIDO bring additional pressure from within the industry.
“It’s good to have the push from both sides,” he said.
The Obama administration through the National Institute of Standards and Technology is also pushing for single sign-on systems for the Web, and Kesanupalli said the institute is reviewing FIDO’s work.
“There is no scarcity of solutions,” he said. “Many of them want you to carry a suitcase and stethoscope, and that’s just not going to be scalable. Consumers just want a natural solution.”