Last week, to commemorate World Password Day — yes, there really is such a thing — we ran my 2015 article called Kill the password, my treatise on the myriad problems associated with passwords. Trusona, a company trying to transform identity, announced today that it is releasing support for passwordless entry on Salesforce.com. Hey, it’s a start.
The trouble with the password as we’ve long known, is that it puts the burden on the user to create a good one and then remember it. If the purpose of the password is to ensure only authorized users have access to a system, then as we’ve seen over and over with so many high-profile attacks, it’s not really doing the job.
Trusona hopes to change that by making it easier to access applications and services in a secure way without having to enter anything. It’s using Salesforce as a proof of concept, but it really could apply to any service, and you can expect them to layer on others over time.
You start by downloading the Trusona app on your iOS or Android smartphone and setting up your account. You ensure your identity in the app by entering a 6-digit pin, or if the device allows, using your fingerprint. When you open the Salesforce application instead of entering a username and password — or if you’re like me, clicking the Forgot Password link — you click the Trusona button instead.
A QR code instantly appears on the screen. With the Trusona application open, you point your phone’s camera at the screen and it takes a picture automatically. In my experience, it found the code without having to maneuver the camera at all. Trusona CEO and company founder Ori Eisen says they have designed the experience to pick up the code even from odd angles.
After the camera picks up the code, an Accept button appears in the Trusona application. You touch it, and you are logged into Salesforce.
If you’re logging onto your application directly from a mobile device, Eisen said you simply touch the Trusona button and it deep links into the application and sends you the Accept button to the Trusona application.
Eisen acknowledges that the QR code approach isn’t ideal, but he says it’s a starting point. “Assume the QR code is version one of mechanisms to not type your username or password,” he said. They needed something machine readable and this was a starting point, but the company is working on a more dynamic approach that doesn’t look like a QR code.
In addition, you can’t try to game the system by using the same authorization a second time because the application anonymously records your phone’s telemetry data — longitude, latitude, accelerometer setting and so forth — and since this is a unique set of information, it can never be repeated. If the system sees someone trying to authorize the app with those same settings, it will reject that user.
Trusona didn’t actually work with Salesforce to create this solution. It took advantage of an open identity standard called SAML, but it is in discussions with Salesforce to add this solution to the AppExchange, Salesforce’s app store.
Eisen told me that his goal with this technology is to make this year the very last World Password Day — because if technology like his company’s becomes widespread, it could kill the password once and for all.