It is safe to assume that the majority of users accessing the internet also poss

Question

It is safe to assume that the majority of users accessing the internet also possess the mobile phones. So can we take advantage of this and relieve users of remembering any passwords.

Instead of registering users on the website, the site can register their mobile phones. The mobile phone number is being used by gmail as the optional second-factor authentication.

Could any such schemes be designed and implemented in which user always login using one time passwords and do not have to remember any passwords for any of the websites? If the mobile phone is lost, then all accounts are compromised. To counter that the mobile phone will have 1 master password or a biometric password. Apart from saving users the burden of complying with the different password policy of every site, such schemes will also prevent offline attacks as there are no passwords stored on the server.

Can such cost-effective schemes or protocols be designed so that users do not have to remember any passwords at all?

Explanation / Answer

Devices like Yubi Key have been trying to accomplish this. The underlying problem is that it is a single factor, and if lost, exposes a major risk to the user.

Matching with biometrics is also a promising field, but the technology isn't ready yet. Anything you measure for biometrics can change over time because a body changes over time. There was a prototype bracelet that measured your heartbeat patterns and adjusted its metrics to the subtle changes to your heart over time. It was promising, but still a prototype.

Killing the password has been a goal for a very, very long time. We need to keep the discussion going.

Related Questions

Navigate

• Browse (All)
• Browse I
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.