Forget Your Passwords

Contributors: Lisa Gryschuk


Have you ever forgotten a password?  Maybe it’s time to finally forget our passwords for good…….


It  happened again, for what feels like the 10th time this week, and it’s  only Tuesday. I got the ever frequent and super frustrating  message: Either the password or the login you provided is incorrect.  Thinking that surely I must have made a slight keystroke error in my  rush to login, I re-enter my login and password a little more slowly and  with more precision. But no, it doesn’t work and the annoying message  appears again: Either the password or the login you provided is  incorrect. Now my heart starts to race and my palms start to sweat as I  realize that I’ve forgotten my login/password!!  I have fallen victim  to… PASSWORD FATIGUE!!!


According to Wikipedia, the free encyclopedia, password fatigue is defined as follows:

Password fatigue is the feeling  experienced by many people who are required to remember an excessive  number of passwords as part of their daily routine, such as to logon to a  computer at work, undo a bicycle lock or conduct banking from an  automated teller machine(ATM). The concept is also known as password  chaos or more broadly as identity chaos. [1]

Password fatigue may be caused by Memory Interference,  a phenomenon that occurs in learning when new material clashes with  already learned behaviour or memories. Statistics indicate that on  average, a person now has to remember 19 passwords.[2]  I  currently have 58 logins and passwords registered in my password  management software. I can’t even imagine what would happen if I ever  forgot the userid or password to my password management software, I’d  probably self combust.


Because of ever increasing password fatigue, studies have shown that  users are becoming lax in their management of passwords and it is  becoming more common for passwords to be reused, written down, to be  comprised of family member’s or pet’s names and to be easy instead of  complex. While passwords are commonly used as a prime security method,  it appears that reducing reliance on passwords is the approach that we  should be taking and we should be focusing on improving authentication  technology.


In an ideal world, barring any technological blocks, are there any  solutions that come to  mind for eliminating passwords? Wouldn’t it be  nice if the devices we needed access to could somehow identify us just  by our mere presence? From the end-user standpoint, this would  definitively be the best possible User Experience (UX), wouldn’t it?  What could be simpler than standing next to your computer, tablet or  even car, and having it unlock (assuming of course that it wouldn’t  unlock for anybody else)? One can easily imagine the types of challenges  that this idea poses. Nevertheless, while this ideal UX is not quite  readily available, it may not be so far-off either.


For some time, research has been conducted to find ways to eliminate passwords and there was a real leap forward in 2012 with the creation of the FIDO Alliance.  FIDO stands for Fast IDentity Online and is supported under the  alliance by the likes of Google, Paypal and various other biometric and  hardware device vendors. The goal of the FIDO Alliance, is to produce  protocols that can be used to ensure several factors of authentication  to increase security while at the same time improving the user’s  experience. In 2014, the Alliance produced the Universal Authentication  Framework (UAF)[3] and the Universal Second Factor (U2F)[4] standards.  Many brands have since joined the FIDO family, proposing a wide variety  of authentication devices and solutions based on the UAF and U2F  standards.


The FIDO approach relies on two entities: a device client, which  authenticates the user and issues an encrypted certificate, and a FIDO  server, which validates the issued key. On the server-side, it is up to  the various service providers to implement their own solution that  conforms to the standards, but judging from the FIDO certification  growth as shown below, the trend towards greater and greater adoption is  accelerating:



Source: http://www.slideshare.net/FIDOAlliance/fido-certification


The list of certified providers currently  includes Google, RSA, LG, Sony, Fujitsu, Lenovo and many others. While  we continue to get closer to the ideal passwordless nirvana, almost all  the FIDO devices that currently exist do rely on some kind of user  interaction (the scanning of a fingerprint or a retina, taking a selfie,  pressing a button, entering a code or pin, etc.). I am, therefore,  excited to see the delivery of a cool product by a fellow Canadian  company, Nymi™, that does not require user interaction.


Nymi has developed a FIDO-compliant personal device, the ‘Nymi band’,  that reads the carrier’s heartbeat and uses it to authenticate the  user. Nymi has indicated that a person’s electrocardiogram (ECG) is  unique, and the Nymi band, a stylish bracelet, is essentially an ECG  reader. HeartID™ is Nymi’s own technology that uses the wearer’s ECG and  transforms it into a secure credential that can be used to unlock  almost anything.


The Nymi band uses bluetooth and NFC radio to communicate to the  device that needs to be unlocked. The interaction between the band and  the device can be a FIDO U2F transaction.  Although the Nymi band  supports FIDO’s U2F, their exposed API can also be leveraged to interact  directly with it. This opens up the gate to authentication paradise, as  indeed, with a Nymi band, a user’s mere presence is sufficient to  unlock enabled devices they try to gain access to. Drum roll, sound the horns!!


Nymi’s initial focus will be on Enterprise solutions, especially in the financial and banking sector with the announcement of interesting proof-of-concepts at some Canadian banks.  I hope to see consumer facing solutions emerging in the next year or  so. This opens-up a lot of interesting possibilities from an  implementation standpoint too, possibilities I am quite excited about!


I am hopeful that with more advances in technology like Nymi, that password fatigue will soon be a thing of the past!


  1. Password fatigue. (2016, May 8). In Wikipedia, The Free Encyclopedia. Retrieved 13:10, August 12, 2016, from https://en.wikipedia.org/w/index.php?title=Password_fatigue&oldid=719164024
  2. Munsen, L. “Average Person Has 19 Passwords – but 1  in 3 Don’t Make Them Strong Enough.” Naked Security. N.p., 17 Oct.  2014. Web. 09 Sept. 2016 from https://nakedsecurity.sophos.com/2014/10/17/average-person-has-19-passwords-but-1-in-3-dont-make-them-strong-enough/
  3. “FIDO Alliance » Specifications Overview.” 2015. 9 Sep. 2016, from https://fidoalliance.org/specifications/overview/
  4. “FIDO Alliance » Specifications Overview.” 2015. 9 Sep. 2016, from https://fidoalliance.org/specifications/overview/