Should the FTC Kill the Password? The Case for Better Authentication

Data security breaches are occurring at an alarming frequency, and one of the main causes involves problems authenticating the identity of account holders. The most common approach to authentication is the use of passwords, but passwords are a severely flawed means of authentication. People are being asked to do a nearly impossible task – create unique, long, and complex passwords for each of the numerous accounts they hold, change them frequently, and remember them all. People do very poorly in following these practices, and even if they manage to do so, hackers and phishers can readily trick people into revealing their passwords. 

There is widespread consensus about the problems with passwords. Better alternative authentication techniques exist, such as two factor authentication, yet organizations have been slow to move to these alternatives. In this essay we argue that in certain circumstances, the FTC should start requiring better methods of authentication than passwords alone. We explore the foundation in current FTC jurisprudence for such action, and suggest how the FTC should start making the push toward improved authentication.