Should the FTC Kill the Password? The Case for Better Authentication
14 Bloomberg BNA Privacy & Security Law Report 1353 (2015)
8 Pages Posted: 28 Jul 2015 Last revised: 15 Aug 2015
Date Written: July 27, 2015
Abstract
Data security breaches are occurring at an alarming frequency, and one of the main causes involves problems authenticating the identity of account holders. The most common approach to authentication is the use of passwords, but passwords are a severely flawed means of authentication. People are being asked to do a nearly impossible task – create unique, long, and complex passwords for each of the numerous accounts they hold, change them frequently, and remember them all. People do very poorly in following these practices, and even if they manage to do so, hackers and phishers can readily trick people into revealing their passwords.
There is widespread consensus about the problems with passwords. Better alternative authentication techniques exist, such as two factor authentication, yet organizations have been slow to move to these alternatives. In this essay we argue that in certain circumstances, the FTC should start requiring better methods of authentication than passwords alone. We explore the foundation in current FTC jurisprudence for such action, and suggest how the FTC should start making the push toward improved authentication.
Keywords: data security, cybersecurity, FTC, authentication, password, two factor authentication
Suggested Citation: Suggested Citation