We solved the spam problem, now what about passwords?
As originally featured on stuff.co.nz on 10 May 2022
In 2004, Bill Gates was roundly mocked for his proclamation, to a select group of World Economic Forum participants, that “two years from now, spam will be solved”.
It was widely (and incorrectly) reported that Microsoft, which had a poor reputation for the security and reliability of its products at the time, was going to save us all from the dozens (or even hundreds) of spam messages we received every day.
The prospect seemed ridiculous, particularly given the sheer volume of spam messages most of us were drowning in at the time. Gates was made a laughing stock.
Gates’ prediction came to pass, however. It may have taken more than a couple of years, but the number of spam messages that actually reach our mailbox has plummeted since his prediction in Davos.
According to Statista, spam messages still make up some 40% of all email traffic, but the actual number of spam messages we actually receive is almost none.
The spam “problem” that Gates referred to in 2004 was the massive amount of unsolicited email that filled our inboxes day in and day out; masses of low-quality, high-volume messages that would fill our inboxes and crowd out the legitimate messages we actually cared about. This problem has now largely been solved. Even those of us with email addresses that are published widely see very little spam in 2022.
Anti-spam technologies are so effective that, in 2022 if someone tells you your message got “stuck in their spam filter”, they’re probably lying.
The problem wasn’t solved because of the heroics of Gates or Microsoft alone. It was solved through the application of a variety of technologies that make it much harder for spammers to reach us through our inboxes than it was 18 years ago.
Most spammers have given up and global spam volumes (as a percentage of all email traffic) have actually been dropping for several years.
This year at Davos, Gates would be excused for announcing that “two years from now, passwords will be solved”.
The password problem has been around since the dawn of the computer age. Fernando Corbato first presented the idea of passwords at MIT way back in 1960 and passwords have been stuck to monitors and written in notebooks since.
A recent study by NordPass found that the average person has to remember approximately 100 passwords for the various IT systems, apps and websites that they use every day. For IT professionals like yours truly that number can easily exceed 500.
It’s impossible to remember so many passwords, particularly as most sites implement password complexity rules (making passwords that much harder to remember). Most people resort to reusing the same passwords across multiple sites, which makes passwords less secure. (Pro tip - use a password manager and a different password for every site.)
Industry has tried to address the password problem by making it harder and harder to log in to things. Increasingly complex password requirements, captcha tests, two-factor authentication, biometrics and a variety of other techniques make it harder to log in to your favourite sites but they also make it harder for hackers to do so if your passwords are compromised.
But these are just workarounds that don’t solve the biggest problem - the existence of the password itself.
Enter the Fido (“fast identity online”) alliance, whose stated mission is to “help reduce the world’s over-reliance on passwords”. And not a moment too soon!
Comprising a who’s who of industry heavyweights (board-level members include Amazon, Google, Intel and Apple, to name a few), Fido is a truly industry-wide alliance that has been working since 2013 to develop authentication protocols to make logging in easier and, more importantly, more secure.
One of Fido’s most exciting developments is a set of standards that allow users to register and sign-in to operating systems, websites and apps without ever having to enter a password.
For most of us our phones will become our main authentication device. Unlocking your phone (using your pin or biometric login) will typically be enough to authenticate you. No password required.
The process of registering and logging on is simpler, but inherently more secure, than when using a password. It also makes it impossible for hackers to steal your passwords through the use of phishing attacks, etc. Public key cryptography is used to make it all secure behind the scenes.
On May 5, World Password Day, Apple, Google and Microsoft announced plans to implement Fido-compliant passwordless sign-in across all of their mobile, desktop and browser platforms by May 2023.
This is huge. As Microsoft’s Vasu Jakkal put it, you’ll be able to “sign in to an app or service on nearly any device, regardless of the platform or browser the device is running. For example, users can sign-in on a Google Chrome browser that’s running on Microsoft Windows–using a passkey on an Apple device.”
Between them Apple, Google and Microsoft control the vast majority of the operating systems and browsers that we use every day. Where they lead the rest of the industry will follow. Within a couple of years every operating system, browser, major web site or app is likely to support Fido-based passwordless authentication, meaning you won’t need separate passwords for any of them. Two years from now the password problem may, finally, be solved.