Passwords continue to dominate the authentication landscape. In 2012, Bonneau et al.1 analyzed a broad collection of web authentication schemes designed to replace passwords. They demonstrated that passwords have a unique combination of usability, security, and deployability that has proven difficult to supplant. For these reasons, we believe that it is important that research be done that enhances the security of password-based authentication as we wait for a scheme that can finally replace passwords.
We have several efforts centered around strengthening password-based authentication. First, we are researching how to improve the usability and security of password managers—tools that help users generate and manage unique passwords for each of their online accounts. Second, we are updating existing browsers and operating systems to provide first-class support for passwords, eliminating many possible attack vectors against passwords (e.g., malware, password database leak). Third, we exploring how to speed up the adoption strong password password protocols—protocols that allow users to prove knowledge of their passwords without actually revealing those passwords, helping prevent a range of attacks (e.g., phishing—by client-side and server-side developers.
In addition to these efforts to enhance passwords, we are also researching password alternatives such as multi-factor authentication.
Bonneau et al. 2012. The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes. In Proceedings of the 33rd IEEE Symposium on Security and Privacy. IEEE. ↩