LaunchKey resets the password

LaunchKey replaces the password with the smartphone. Users can log in, and out, of sites with a quick button press.

Login passwords are obsolete. The very idea that the keys to your most valuable assets must be a combination of unique, memorable, and unguessable is just cruel. But nobody knows what to replace passwords with. Or do they?

One company might have come up with the fix we’ve been waiting for: LaunchKey. The product is a smartphone app “key” that you use to access Web sites. It replaces site passwords completely.

With LaunchKey, when you want access to a protected Web site, you get a notification on your smartphone asking you to authorize access. No smartphone, no access. It appears to the user as a password-free authentication system once they are in the LaunchKey app; the fact that the user has a specific phone is the key, not a password they’ve (hopefully) memorized.

And since the login authorization is offloaded to a central system managed by smartphone, users get some other benefits too: They can, for example, see all the apps they are logged in to at any moment, and log out of all or some of them at once, with a press of a button. They can also restrict access to certain times (so no one can log in while they’re sleeping), or to locations (for example, a site that only works when the phone is in your office). All of this is controlled by mobile device.

Technically, since access to the LaunchKey app itself can be password-protected, it is multi-factor authentication, but unlike Google’s Authenticator, the “something you have” data is transmitted on the user’s behalf. He or she doesn’t need to manually enter a fresh keycode (in Google’s case, that’s a six-digit number) at each use. The authorization is handled by the LaunchKey servers.

Obviously, if you’re a LaunchKey user and your mobile gizmo is lost or stolen, you’ve got to quickly deauthorize it and set up another. It will be a pain, but at least most people will know pretty quickly when their phone goes missing. Passwords can be stolen without anyone knowing. (A version for mobile apps is forthcoming.)

Furthermore, since the LaunchKey authentication system is only that, and not a social network or other type of online service, You’re not trading convenience for another kind of privacy exposure. And Web site publishers that use LaunchKey don’t have to keep tables of users and password hashes, which can (and have) been hacked or exploited.

Of course, there has to be more to LaunchKey than just the concept. A new authentication system will have new vulnerabilities. The LaunchKey team has their work cut out for them to keep the system secure. If it gets any traction, it will become a bit fat  target for hackers.

Even with genuinely better technology, the security and authentication market is especially difficult to tackle. Users squawk about password security, but they still re-use the same weak passwords on multiple sites. They don’t really want to do anything different; single sign-on services and clever authentication services like OAuth tend to freak users out, confuse them, or both. Users gravitate towards the comfortable, no matter how unsafe.

LaunchKey CEO Goeff Sanders says, though, that he’s cracked the usability problem. He says of LaunchKey, “Everybody gets it. It’s like having car keys in your pocket. And everyone hates passwords.”

But do people hate passwords enough to actually give them up?

LaunchKey should be available to Web site administrators in three or four months.

-Rafe

See also:
Kill the Password: Why a String of Characters Can’t Protect Us Anymore (Wired)
Who was hit by the RSA attackers? (Krebs on Security)

Audio version of this column:

A message from Evernote

Build knowledge. Share ideas. Get things done. Evernote Business.