The Password Is… Confusion

For Web travelers seeking to lighten their load of usernames and passwords, help has generally been slow to arrive. Some relief for the forgetful has come in the form of functions — installed on popular operating systems — that serve to ease the mental burden of those surfing from a single computer.

“Microsoft and Apple both offer effective password wallets as part of their operating system architecture,” Gartner research director Ray Wagner told the E-Commerce Times. “They seem to be working very well.”

But carrying those passwords to other PCs and devices remains a big challenge for users. While corporate users generally have more options in this area — because of the wide array of products specifically designed for managing access to corporate networks — consumer choices have been more limited.

Portability Lags

“Users already have their browsers’ remember-this-password features,” Forrester analyst Laura Koetzle told the E-Commerce Times. “Microsoft’s Passport attempted to tackle [the issue of password portability], but it hasn’t seen enormous uptake from consumers.”

Other proprietary products are designed to function like digital wallets, with various options for storing and retrieving data on the go. For example, Arizona-based Selznick Scientific Software sells a product called PasswordWallet, which lets Palm OS users synchronize passwords with those stored on their PCs.

PasswordWallet lets users encrypt their passwords with a 448-bit key — a strong level of encryption — and set up a single master password to access all others.

Wallets and Keys

Wallet services — like the one offered by Gator — have also been seeing increased demand as more users come online. Gator currently claims to have 8 million people using its free browser add-on, called eWallet. The software automatically fills out forms and login screens, and it can compare prices when users shop online.

Relief from password overload can also be found in hardware. According to Jon McCown, a security researcher at TruSecure Corporation, several companies are offering access devices that are small enough to be carried on a key chain.

These security keys are designed to contain passwords and other user data. The devices work like a bank ATM card. The user inserts the key into the computer’s universal serial bus (USB) port and then accesses files or Web sites once the computer recognizes the key’s clearance level.

“The key interacts with software installed on the computer that allows it to talk with your key,” McCown told the E-Commerce Times. The key system can be used at any computer with the recognition software installed.

Relief a Year Away

However, by and large, most of the technologies now in use are geared toward helping users store their login information on a single home or laptop computer. Those who need mobile services that let them automatically log in to their accounts from any location, without having to retrieve passwords from their home PCs, will likely have to wait another year.

Gartner’s Wagner said that portable password management should become available by the end of 2003. “By then, there might be a system in place where you can have automatic password entry on several sites, provided you have been verified at one other site that is affiliated with them,” he said.

One potential roadblock to portable password management is that the business and development communities have not yet agreed on technology standards to make passwords portable and secure.

Liberty vs. Microsoft

The central debate over the portable-password issue has been between Microsoft and the Liberty Alliance, a group of more than 60 business and consumer organizations — including firms like HP, Sun Microsystems, GM and American Express. The Liberty Alliance opposes any plans to centralize passwords and other personal data through a proprietary service like Microsoft’s Passport.

The Liberty Alliance recently introduced “open federated network identity specifications” to provide simplified logins through opt-in account linking, a technique that would letusers link their login accounts to various identity-verification providers.

Once a user’s accounts are “federated,” that person would then be able to log in and authenticate at one linked account, then navigate to another linked account without having to log in again. And companies that link accounts would be able to communicate the type of authentication required for logging in.

Once a user logs out of the site where the initial login took place, the technology would automatically log the user off all other linked sites.

Bridging Differences

Responding to ongoing controversy over Passport, which is part of Microsoft’s overall .NET Web services strategy, Microsoft recently announced its own software for sharing information between corporate sites. Called TrustBridge, the software will let businesses share user identity information between applications.

The ultimate solution likely hinges on whether Microsoft and the Liberty Alliance can reconcile their differences.

Wagner said that a promising route to true password portability might be a technology called Security Assertion Markup Language (SAML), which is based on XML. With SAML, security information is expressed in the form of assertions about subjects that have an identity established within a given security domain, much like the new Liberty Alliance specification.

In the meantime, in the absence of any agreement between the major password-management players, smaller vendors like Gator and Selznick will likely continue to improve their software with better encryption and additional features to help more users find their way out of the password-management jungle.