Submitted by Rachel Gardner on Mon, 18/05/2026 - 13:37
Passwords are irritating to manage and can be a weak link in security. Yet they still play a key role in protecting our online identities. Now, r
esearch explaining why we're still using them and why they're so difficult to replace has won a prestigious award... 14 years after it was first published.
The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes was originally presented at the 2012 Symposium on Security and Privacy run by the IEEE, the world's largest technical professional organisation.
The research explored whether there were better tools that were more secure and easier to use and deploy than passwords. But after examining more than 30 proposed replacements, and judging them against the benefits an ideal scheme might provide, the authors' conclusion was a resounding 'no'.
At the 2026 Symposium that is taking place today (18 May 2026), the paper was honoured with an IEEE Test of Time Award in recognition of the lasting impact it has had in the field of security and privacy.
"Not only does no known [password replacement] scheme come close to providing all desired benefits," the authors said in the paper, "none even retains the full set of benefits that legacy passwords already provide."
The paper has now accumulated over 1700 citations on Google Scholar. And its central argument – that most proposed password replacements fail not because they are insecure, but because they ignore real-world constraints around usability and deployability – has been validated by evidence.
"Not only does no known scheme come close to providing all desired benefits, none even retains the full set of benefits that legacy passwords already provide."
Authors Joseph Bonneau, Cormac Herley, Paul C. van Oorschot and Frank Stajano
The authors were Joseph Bonneau (then a PhD student here and now an associate professor at New York University), Cormac Herley (principal researcher at Microsoft Research), Paul C. van Oorschot (professor at Carleton University and a pioneer in graphical password schemes), and Frank Stajano (then a senior lecturer, and now professor of security and privacy, here).
In search of a password replacement system
The paper grew out of an earlier project by Frank Stajano. In 2011, he'd designed Pico, a password replacement system intended to provide better usability and security. It was based on per-account public-key pairs managed by a trusted personal device, a design that anticipated the passkey systems that are now finally gaining acceptance in the marketplace.
As part of his design process, Stajano developed a set of 25 desirable properties for any password replacement system. These included being memoryless, so that users shouldn't have to memorise any secrets, and theft-resistant, so that if a token is stolen, the thief cannot impersonate the user. But when Stajano was writing his paper on it – Pico: no more passwords! – and considering related work, he realised the task really called for a full-length survey. So he assembled a team to do just that.
Together, the four authors refined and formalised the list of desirable properties for password replacement systems, and also decided early on that deployability should be just as important a concern as security and usability. Having done this, they applied their list of important properties to 35 schemes they had chosen from the literature to represent all the mainstream approaches to user authentication. These ranged from tokens to biometrics to single-sign-on systems.
Over the following months, through deliberate analysis and weekly debates, they populated their long table of results – and came to a startling conclusion. None of the schemes they'd examined came close to offering all 25 desirable benefits. None even matched the full set of benefits that ordinary passwords already provided.
Where do replacement schemes go wrong?
The paper identified precisely where each proposed replacement made trade-offs, and why schemes that looked good on paper had consistently failed to gain adoption. That analysis has held up. Fourteen years on, passwords are far from dead, and specific friction points identified by the paper (such as deployment cost, compatibility with existing infrastructure, and users' resistance to carrying dedicated hardware) are still the obstacles that password alternatives must overcome.
Part of the paper's lasting influence is practical rather than predictive: the framework proved sufficiently useful and informative that many subsequent papers proposing alternatives to passwords spontaneously adopted it to rate their own systems, making it a de facto standard for the field.
Further reading
- An extended version, with full analysis of all 35 schemes, is available here.
- There is a follow-up paper by the same research team here: Passwords and the evolution of imperfect authentication.
