Should the FTC Kill the Password? The Case for Better Authentication

Publication Type: 
Academic Writing
Publication Date: 
July 27, 2015

Daniel J. Solove 

George Washington University Law School

Woodrow Hartzog 

Samford University - Cumberland School of Law; Stanford Law School Center for Internet and Society

July 27, 2015

14 Bloomberg BNA Privacy & Security Law Report 1353 (2015) 

GWU Law School Public Law Research Paper No. 2015-33 

GWU Legal Studies Research Paper No. 2015-33


Data security breaches are occurring at an alarming frequency, and one of the main causes involves problems authenticating the identity of account holders. The most common approach to authentication is the use of passwords, but passwords are a severely flawed means of authentication. People are being asked to do a nearly impossible task – create unique, long, and complex passwords for each of the numerous accounts they hold, change them frequently, and remember them all. People do very poorly in following these practices, and even if they manage to do so, hackers and phishers can readily trick people into revealing their passwords. 

There is widespread consensus about the problems with passwords. Better alternative authentication techniques exist, such as two factor authentication, yet organizations have been slow to move to these alternatives. In this essay we argue that in certain circumstances, the FTC should start requiring better methods of authentication than passwords alone. We explore the foundation in current FTC jurisprudence for such action, and suggest how the FTC should start making the push toward improved authentication.