Mark Dixon has an excellent point in this post on why we still use passwords:
It was ease of use, not a technology-driven obsession with safety, that led to wide adoption of the seat belt.
I think we face the same thing with passwords. Intellectually, it is simple to understand why we should get rid of passwords. However, in practice, widespread adoption will be triggered more by ease of use than perception of safety. When an easier method for authentication emerges, people will adopt it – not because it is safer, but because it is easier. If that easier method is also more secure, voila! We will have achieved our desired result.
While I agree with Mark’s point, there is an important distinction that is not getting made in this discussion, the difference between personal and professional accounts. And this distinction goes right to the heart of Mark’s argument.
For personal accounts (for example your Facebook, Yahoo, LinkedIn, or Twitter account) ease of use is the single biggest driver. People will not, in general, use another authentication technique that isn’t as easy as passwords. Actually it has to be easier than passwords by an order of magnitude or it won’t displace the incumbent technology. It also has to be understandable to the average user so they believe that it really is secure (one could argue this is really just another aspect of ease of use). Try explaining client certificate authentication to your grandmother if you don’t believe me.
Also, the sensitivity of the account really makes little difference. Most users won’t treat their on-line banking account any different than their Facebook account. Bank of America offers a SecureID option for their on-line banking. That should be a no-brainer right? I don’t have any numbers but I would be shocked if they were getting anywhere north of %1 adoption of SecureID by their customers.
For professional accounts (your PC, enterprise resources, or hosted service account) ease of use is not the primary driver, cost is. Cost is understood by most enterprises to mean the monetary cost of your credential plus the measurable cost to support you using it. I used the word “measurable” for a reason. Most companies don’t care how hard it is for you to understand and use a specific authentication mechanism if you are a salaried employee. That cost is hidden to them. On the other hand the cost to the company for you to call the help desk if you have an authentication problem is measurable and tracked along with the cost to issue new credentials when needed.
For both personal and professional accounts, passwords rule the roost because they are easy to use, cheap to deploy, cheap to support, and easy to understand.
But if an authentication mechanism becomes popular that is cheap to deploy and support, it may have a chance to displace passwords for professional accounts.