Last week, to commemorate World Password Day yes, there really is such a thing we ran my 2015 article called Kill the password, my treatise on the myriad problems associated with passwords. Trusona, a company trying to transform identity, announced today that it is releasing support for passwordless entry onSalesforce.com. Hey, its a start.
The trouble with the password as weve long known, is that it puts the burden on the user to create a good one and then remember it. If the purpose of the password is to ensure only authorized users have access to a system, then as weve seen over and over with so many high-profile attacks, its not really doing thejob.
Trusona hopes to change that by making it easier to accessapplications and services in a secure way without having to enter anything. Its using Salesforce as a proof of concept, but it really could apply to any service, and you can expect them to layer on others over time.
You start by downloading the Trusona app on your iOS or Android smartphone and setting up your account. You ensure your identity in the app by entering a 6-digit pin, or if the device allows, using your fingerprint. When you openthe Salesforce application instead of entering a username and password or if youre like me, clicking the Forgot Password link you click the Trusona button instead.
A QR code instantly appears on the screen. With the Trusona application open, you point your phones camera at the screen and it takes a picture automatically. In my experience, it found the code without having to maneuver the camera at all. Trusona CEO and company founder Ori Eisen says they have designed the experience to pick up the code even from odd angles.
After the camera picks up the code, an Accept buttonappears in the Trusona application. You touch it, and you are logged into Salesforce.
If youre logging onto your application directly from a mobile device, Eisen said you simply touch the Trusona button and it deep links into the application and sends you the Accept button to the Trusona application.
Eisen acknowledges that the QR code approach isnt ideal, but he says its a starting point. Assume the QR code is version one of mechanisms to not type your username or password, he said. They needed something machine readable and this was a starting point, but the company is working ona more dynamic approach that doesnt look like a QR code.
In addition, you cant try to game the system by using the same authorization a second time because the application anonymously records your phones telemetry data longitude, latitude, accelerometer setting and so forth and since thisis a unique set of information, it can neverbe repeated. If the system sees someone trying to authorize the app with those same settings, it will reject that user.
Trusona didnt actually work with Salesforce to create this solution. It took advantage of an open identity standard called SAML, but it is in discussions with Salesforce to add this solution to the AppExchange, Salesforces app store.
Eisen told me that his goal with this technology is to make this years the very last World Password Day because if technology like his companys becomes widespread, it could kill the password once and for all.