A second drawback of Fido is that it provides no easy means of revoking an authentication device that gets lost or stolen. A user would have to contact each site separately to cancel it, Upadhyay says, which would lead to the possibility of a hacker locking you out of your own accounts by impersonating you and revoking your device.
Creatures of habit
Perhaps Fido’s biggest criticism is that it still doesn’t achieve what PayPal's Michael Barrett says users really want: for websites like PayPal to take care of security for them. For this to happen, online services may have to more frequently employ behavioural analysis. This kind of security can help verify that a password is being typed by the appropriate person, explains Kevin Bailey, a security analyst at IDC. Such systems examine vast amounts of data about people to recognize them based on their usage habits.
Your location, the internet address of the computer you tend to connect from, and even the time of day that you normally sign in, are all details that could be fed into an authentication analysis. Even your click stream—how quickly you type and how long you stay on different web pages for—could become a telling detail about you. If any of these factors gave a website reason to doubt that you are who you claim to be, it could block you from doing anything sensitive, like withdrawing large amounts of money from a bank account.
Bailey predicts that this approach, which he calls persona-based authentication, will take off. "The angle you hold a mobile phone, the way you key things in, the tone you use when you speak—even the ear you put the phone to and the height of that ear above ground,” could be used to add authenticating evidence, he says.
Ultimately, authentication is a problem that is unique to computers. Humans generally have no difficulty recognising other people with whom they already have a relationship, which is why no one demands a password from their spouse or children before letting them in the house. It is also why researchers are unlikely to develop easy, reliable authentication systems for online services until computers can be programmed to learn like people, Bailey says. "Self-learning and artificial intelligence are the things that will allow computers to recognize individuals and authenticate them without them having to do anything," he concludes.
Before that day, if you want to log into your online accounts quickly and safely, you may be asked to pop a password pill.