Should the FTC Kill the Password? The Case for Better Authentication

8 Pages Posted: 28 Jul 2015 Last revised: 10 Oct 2015

Daniel J. Solove

George Washington University Law School

Woodrow Hartzog

Samford University - Cumberland School of Law; Stanford Law School Center for Internet and Society

Date Written: July 27, 2015

Abstract

Data security breaches are occurring at an alarming frequency, and one of the main causes involves problems authenticating the identity of account holders. The most common approach to authentication is the use of passwords, but passwords are a severely flawed means of authentication. People are being asked to do a nearly impossible task – create unique, long, and complex passwords for each of the numerous accounts they hold, change them frequently, and remember them all. People do very poorly in following these practices, and even if they manage to do so, hackers and phishers can readily trick people into revealing their passwords.

There is widespread consensus about the problems with passwords. Better alternative authentication techniques exist, such as two factor authentication, yet organizations have been slow to move to these alternatives. In this essay we argue that in certain circumstances, the FTC should start requiring better methods of authentication than passwords alone. We explore the foundation in current FTC jurisprudence for such action, and suggest how the FTC should start making the push toward improved authentication.

Keywords: data security, cybersecurity, FTC, authentication, password, two factor authentication

Suggested Citation

Solove, Daniel J. and Hartzog, Woodrow, Should the FTC Kill the Password? The Case for Better Authentication (July 27, 2015). 14 Bloomberg BNA Privacy & Security Law Report 1353 (2015); GWU Law School Public Law Research Paper No. 2015-33; GWU Legal Studies Research Paper No. 2015-33. Available at SSRN: https://ssrn.com/abstract=2636366

Daniel J. Solove (Contact Author)

George Washington University Law School ( email )

2000 H Street, N.W.
Washington, DC 20052
United States
202-994-9514 (Phone)

HOME PAGE: http://danielsolove.com

Woodrow Hartzog

Samford University - Cumberland School of Law ( email )

800 Lakeshore Dr.
Birmingham, AL 35229
United States

HOME PAGE: http://cumberland.samford.edu/faculty/woodrow-n-hartzog

Stanford Law School Center for Internet and Society ( email )

Palo Alto, CA
United States

HOME PAGE: http://cyberlaw.stanford.edu/profile/woodrow-hartzog

Paper statistics

Downloads
415
Rank
55,781
Abstract Views
2,389