Should passwords die in a fire?Michael Daniel, the US Cyber Security Czar thinks so. His replacement solution? Selfies (the pictures people take of themselves). While the notion of killing the password is shared by many, suggestions -- even those not as laughable as selfies -- have a tendency to fall short.Now Twitter suggests they need to do away with passwords because it won\u2019t work for people in developing countries. Their suggestion? Use your phone number and a service they developed to have a code sent to your phone. It\u2019s what we used to call a one-time password. Except in this case, what do we know about the wireless network(s) in which the password is delivered? Do you trust them?Seems a lot of solutions targeting the demise of the password end up relying on\u2026 passwords. Sure they wrap complexity around them, or they add factors (see below). What these attempts reveal is clear: passwords aren\u2019t the problem. The friction, agony, and disdain are just symptoms.[ 12 famous passwords used through the ages ]The real challenge? The ability to clearly define the problem we\u2019re trying to solve.Building on the basics of authenticationThe basics of authentication draw on a few key concepts:Identity proofing: the methods used and confidence in associating the identity of a person with an account, device, or other constructFactors of authentication, classically explained assomething you know (like a password)something you have (like a token)something you are (biometrics)Level of assurance: the strength of the identity proofing that is required. Typically, the higher the assurance level, the more factors of authentication are requiredSometimes people conflate identity with authentication. Allowing for some confusion, we have an increasing need for more assurance\/confidence in the authentication.By focusing on the password, here\u2019s what we missThe password, itself, is but a part of a larger system. That means the desire to bolster, abandon, or replace passwords needs to address three critical elements (read more here). As a system, authentication has at least three parts:Design and implementationOperation and maintenanceIndividual usageMost of the outrage over passwords is hyper-focused on individual usage. As such, the more critical components of the solution are largely ignored. And that creates opportunity for attackers.While some high-profile attacks are suggested (or confirmed) to take advantage of single compromised user accounts, the broader trend is attacks on password stores and exploits that take advantage of weaknesses in system design.In the blind rush to end the password, it is essential to keep focus on the expected outcome and necessary parts of the solution design.Defining the problem we need to solveThe first step to design a better authentication system means forgetting about passwords. It also means setting aside dreams of selfies and other headline-grabbing methods. Instead, go back to the basics and focus on functional outcomes to define the problem before advancing a solution.Advancing a solution without first defining the problem erodes value and increases risk (read more here).Complaints about passwords suggest the problem we need to solve is authentication. The need to design, implement, and offer methods for authentication that are easy-to-use, hard to break, and provide the appropriate level of assurance.The high-level criteria for a solution include:Easy to useEasy to implementStrong\/easy to protectAllows for the appropriate confidence in identity proofingAllows for the desired level of assuranceThe criteria are both subjective and variable. Designing a solution that allows that sort of flexibility requires more time to clearly define and explain each of the requirements in a way that is easily understood.What other criteria would you add? Share in the comments or engage with me on twitter (@catalyst)Developing a better solutionWhen people write about using existing networks to handle authentication -- in the name of convenience and ending the password -- we have to evaluate the entire solution design, then compare it against known and anticipated problems.A good way to get started? Use a concept central to many practices -- put people in the center. Learn how they work, then design and build solutions that address their needs. We never really did that with passwords. Or the real reason for passwords - authentication.Advancing the discussionFor the nearly two decades of my security career, people routinely call for the demise of the humble password. If we\u2019re going to end the password - which I\u2019d support -- then the answer isn\u2019t as simple as two factor (which typically still uses a password), or biometrics (too many questions to ask, too many left unanswered). Admittedly, Apple\u2019s Touch ID seems to be paving a potential pathway for biometrics, and it merits more scrutiny.In the meantime, if we stop bashing the password, starting discussing the problem, defining requirements, and sharing our knowledge and experience, our children might actually experience a different, better, and more usable solution to the challenge of authentication.