SK Babu

@babulous

How about a post-password era?

Security systems should stress out data thieves, not data owners.

A few days ago, I got locked out of my Apple ID while trying to login via my old iPhone. Now I know security is essential because of the dangers of a hacker accessing my ID and stealing my info, including my credit card numbers. But if the security designed to keep out hackers also stops me from accessing my ID, maybe we need to think about alternate solutions.

All I was trying to do on that old iPhone, was download an app that I had previously purchased. So I entered my 22 character Apple ID, followed by my 11 character password. That’s when things began to go farcical. It started with the following message.

So I checked my ‘other device’ which would be my Mac. Sure enough, there was a popup saying my Apple ID was being used on a new device, and asking me if I wished to allow it. I clicked ‘Allow’ at which a new window popped up with a code, and an instruction to type in my password followed by a code to be typed into the password field on my new device.

This was a new one! It seems the code had to be appended to my password, in effect creating a new password. Or did they mean something else? I had an uneasy foreboding this was going to end badly. What about that space between the two numbers, and should I do the same while keying it in?

With no answers, trial and error was the only way forward. So I again typed in the 33 characters of the user ID and password without the space. It didn’t work. Then I tried without the space. But all I got was a message saying my Apple ID or password was incorrect.

Well, I’m human and maybe I erred. So I fired up my password app, 1-Password, double checked my Apple ID and password, then carefully re-entered all the 33 characters again. No luck. What next?

Maybe I could try signing out and signing in with the same Apple ID on my current phone to check if ID and password were right. I went ahead, signed out, and signed back in on my iPhone 6S. By this time, I was getting tired of repeatedly typing in the 33 characters. Thankfully, Keychain filled in my Apple ID, and I just had to key in the 11 letter password.

The iPhone 6S logged me in successfully. This meant the problem wasn’t my Apple User ID or password, but the code being appended to my password. I went back to the iPhone 4 and tried again, keying in all 33 characters yet again. It still wouldn’t log in.

There’s another angle to it. I’m a peck and type guy. So keying in those 33 characters repeatedly is a laborious affair, what with caps lock and special characters and numbers that passwords these days insist upon. All that typing becomes tedious after a while. What adds insult to the injury is the only reason I’m doing this painful exercise is because a silly security system is goofing up big time.

I took a break and tried again after a few hours. This time, the message said that too many verification codes had been sent, and I should try later. It seemed like Apple is under the impression I’m trying to steal my own ID. And the way things are going, this story is unlikely to have a happy ending.

I tried googling the issue. But no one else seemed to have the problem, or more likely had not yet started complaining about it. I just would have to be patient, and keep checking till a solution popped up.

Fortunately, this transaction wasn’t critical, and I worked around it by using another Apple ID to download an ad-supported version of the paid app that I was trying to download.

But what if the password failure had happened during a crucial transaction? Like, say being unable to access my payment apps when I had to urgently book the last available flight ticket. That would have meant a cancelled trip and a ton of money gone down the drain. This is a disaster waiting to happen.

It’s not just Apple ID that was giving me password hell. I have had similar bad experiences with many other apps and websites. In fact, I had a password glitch during that Dubai trip with my Uber app. It wouldn’t work with my Indian SIM in Dubai. So I used a local SIM for Uber during my stay there. As soon as I landed back in the airport in India, I tried to link my Uber app back to my Indian SIM so I could book a ride. But Uber wasn’t having any of it, refused to accept that I was indeed who I claimed to be, and kept shooting off email verification mails to me. After a long trip with a kid, I didn’t have the patience for this rubbish. Luckily, Ola, Uber’s competitor in India, was working fine, and I was able to book a ride home.

Point to note. I haven’t used Uber since and have stuck with Ola. Unnecessarily complex security can backfire on companies, not just customers.

Anyway, it’s obvious the existing system of passwords is a disaster for all concerned. I have innumerable User IDs and passwords for different apps and sites. Managing them without a password manager is impossible.But even a password manager may not help as some sites/apps are paranoid and periodically force me to change my password. Sometimes they want me to put in special characters and capitals in the password.

As for captchas, I think they are being designed by robots for robots. Look at this example I dug off the net. I’m not sure if I’m correctly reading what half those captchas are trying to say.

So is there a solution?

Ironically, it’s the much maligned airport security systems that is showing us the way forward.

I had recently visited Dubai, and there is usually a long and tiresome queue at the airport’s passport control counter. But on this visit, the Arab official unexpectedly waved me to a different counter. A couple of moments later, I was at staring at a tiny camera at the counter which scanned my eye. Once it verified my identity, the electronic gates magically opened. The whole process was over in five minutes as compared to the usual queue which often lasts for an hour or more. As I collected my luggage, I couldn’t help wonder why our phones can’t verify my identity this way though every one of them has a built-in camera. Why can’t the phone unlock with a quick scan of my eye? Ditto for signing in to Apple ID or Uber or any other app that requires verification. Yes, I know there are phones already doing this. But why is the industry not focussed on this essential tech, fixing its drawbacks and taking it mainstream asap?

I think it may be because there is a danger that if a hacker cracks the eye scan technology, he can cause a worldwide financial meltdown. So maybe it’s too much of a risk to put all security eggs in one eye scan basket. I’m sure the experts can find workarounds for that if they were serious about it.

I could be wrong but to my amateur eyes, banking and similar high risk apps could go with a two factor verification. The usual second factor of an OTP (one time password) being sent to a phone or email may not work, because if the hacker has cracked the eye scan, he can access my email. Possibly my phone too if he has stolen it. In fact, if he has my data, he can even have a duplicate SIM issued for my phone.

So oddly enough, the two factor would have to go back to passwords. Like an intricate memorised password that has to be used along with the eye scan. I can live with having to memorise a few intricate passwords. But not with having to keep track of hundreds of passwords as is happening right now. And I definitely don’t like being locked out of my account because some complicated security system believes I’m trying to steal my own ID!

Moving on, I was reading the rumours about the next iPhone. And one of them said that Apple is thinking of doing away with Touch ID altogether. This may indicate that Apple might be going whole hog into identity verification by eye scans. Now that is one Apple rumour that I fervently hope will come true.

Wait a minute!

Knowing Apple, I’m sure that if they work out a new security system involving eye scans, it will require a new technology that will only work on the fancy new camera of their latest iPhone.

Which means I have the choice of hanging onto my iPhone 6s+ and being marooned in a quagmire of passwords. Or ponying up $1000+ for the latest iPhone, and becoming a privileged member of a new post-password era.

All this is guesswork, but it sounds exactly like something Apple would do.

I don’t know whether to laugh or cry.

More by SK Babu

Topics of interest

More Related Stories