The End of Passwords
Mar 13, 2004 1:30 AM PT
At the recent RSA conference, user authentication was a strong theme, and Microsoft chairman Bill Gates hinted at the direction of future technology in this area, predicting the traditional password is headed for its demise.
In his speech, Gates noted that people will begin to rely less and less on passwords because they cannot secure data or systems in a reliable way. Any CIO who has walked past a row of desks knows Gates has a point: The number of Post-It notes affixed to computer monitors and emblazoned with passwords is alarming.
However, technologies like smart cards that offer a different path to user authentication have been slow to catch on in widespread fashion. With the refinement of these alternatives, that could change.
Are passwords finally on the way out?
The reason why password-based security needs to change is simple: People cannot be trusted. More specifically, computer users at companies are often given so many passwords for different systems and network accounts that they end up writing them all down. Such a document left in the open creates a security hazard.
Just as dangerous, users who are asked to set their own passwords often use the same password on different systems and then fail to change that password often. If a malice-minded individual were to discover just a single password, he would gain access to multiple systems.
"The way passwords are used is dangerous right now," confirmed Michael Wood, vice president of sales at Lavasoft, a firm that produces anti-spyware software. He told the E-Commerce Times that he often hears stories about individuals gaining control of a company network by using keylogging spyware, which records a user's keystrokes without his or her knowledge and then sends that info to whomever launched the spyware.
Many user authentication options were on display at the RSA conference, and one of the most discussed was SecurID technology, created by Microsoft and RSA specifically for Windows. SecurID uses authentication tokens in addition to a personal identification number (PIN). The tokens generate new passwords every 60 seconds that work in combination with a user's PIN.
Another Microsoft partnership also could prove interesting in terms of eliminating passwords: VeriSign recently announced an alliance with Microsoft to build authentication services based on the Windows Server 2003 product line.
Sun Microsystems, too, has jumped into the fray with an announcement that it will roll out an identity-management solution for Windows and other Microsoft environments. Based on technology acquired from Waveset Lighthouse, Sun's Identity Manager will enable centralized management of user identities across different applications.
Because so much of the corporate world uses Windows, widespread use of technology that removes vulnerabilities associated with passwords could mark a major change in network security.
Wood noted that many companies employ security strategies at the firewall or network level but often overlook dangers at the desktop level. Having a technology that addresses user behavior would be beneficial in the industry. "You can't follow employees around," he said. "It would be good to have technology that can do that for you."
Even with a variety of tools available, security always will come down to the needs of an individual company. As security increases, usability often decreases.
IT departments must make a decision about how much security is necessary, given that it may take users longer to learn more complex security procedures, leading to more tech-support calls.
Forrester principal analyst Michael Rasmussen told the E-Commerce Times that other changes also take place when security is increased, especially if newer, less familiar technologies are utilized.
"There can be a trade-off on speed for security, depending on your architecture," he said. "The decision on what to implement is going to come down to an IT department's preferences and needs."
Death to Passwords?
Most likely, blended techniques will gain favor in the coming year, especially as computing performance increases and legislation like the Health Insurance Portability and Accountability Act (HIPAA) makes IT departments more aware of security accountability issues.
Burt Kaliski, director of RSA Laboratories, told the E-Commerce Times that as computer performance doubles every 18 months, functionality leaps ahead of security, leading to encryption tweaking to counter the security loss.
Because of this, authentication options will have to be used alongside encryption to ensure system security. As Kaliski said: "Encryption by itself doesn't solve the problems that IT is facing. For that, you need a full solution that includes encryption."
IT departments may find that those full solutions include numerous security measures, such as smart cards, other biometric devices and additional hardware, that all work in a blended fashion.
Although the death of passwords has been greatly exaggerated, the range of technologies in the pipeline, coupled with the realization that security at the desktop level must be refined, could mean passwords will fade faster than ever before.