Last year Microsoft Research posted a great paper on passwords in an attempt to answer the question, “After 40 years of security research, why is the password still dominant?” Surprisingly, most security people haven’t read it. Not hard to guess why—it’s a dense 15-page academic paper titled “The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes.” We’ve decided to post a summary of the paper, with some of our own thoughts, for the betterment of security for all.
The goal of the researchers was to provide a framework for evaluating alternative authentication methods like multi-factor, biometrics, and federated SSO. Some of the options they reviewed are wildly impractical for most customer facing web applications (i.e., paper-based one time passwords) but overall the framework is very useful. After 40 years of security research, passwords still doggedly persist as the de facto standard for application authentication. Why? Because while there are more secure alternatives, like multi-factor authentication, nothing comes close to passwords when you account for usability and ease of deployment.