Passwords simply will not die. No matter how often industry experts tell us that passwords are the single biggest problem with authentication systems, we seem to be addicted to them.
Perhaps it’s because every computer system and application we encounter expects us to use a username and password. No-one wants to spend the money to switch to two-factor authentication – the cost of the tokens and the administrative overhead is deemed too great.
Biometrics seemed like a good idea, but then Tsutomu Matsumoto proved that fingerprint readers are utterly fallible using his “Gummi Fingers” experiment (see Bruce Schneier’s article at http://www.schneier.com/crypto-gram-0205.html#5), and anyway there’s the cost issue again.
Some imaginative solutions like Passfaces (http://www.realuser.com/resources/science.htm) appear from time to time. Unfortunately, the inertia of the corporate “standard build”, the perceived cost of implementation, the anticipated admin costs and most of all the absence of any real understanding of the issues leads to a continuation of the password legacy.
I had hoped that the corporate enthusiasm for identity management would facilitate a sea change in authentication mechanisms, but no. In fact it appears to simply multiply the risk without enhancing the logon process at all.
So the future - maybe smart cards with simple and cheap smart card readers in every desktop and laptop? Perhaps USB tokens with a PIN number? Or perhaps the continuation of the password, enhanced (if anyone will listen) into a passphrase and assisted by password safe software …
This blog post is an excerpt of an opinion piece called “Identity Theft in The Corporate World” written by Peter Wood from First Base Technologies. You can find more about this security outfit at http://www.fbtechies.co.uk