Paul Barrett | The traditional computer password: R.I.P.?
- By Paul Barrett
- Aug 16, 2006
Passwords have been around for a long time. Widely recognized as the weakest link in IT security, it's clear they are well past their sell-by date. However, in spite of urgent efforts by government agencies, corporate enterprises and financial institutions, practical alternatives have not been forthcoming. Virtually 100 percent of our network access today relies on a password or personal identification number as the primary means of user authentication.
Since absolute security is not possible, the aim is to reduce risk and fraud to more acceptable levels. Pressure to do so is coming from both users and regulators. For instance, late last year the Federal Financial Institutions Examination Council issued guidance to financial institutions. The guidance deemed password-only authentication 'inadequate ' for high-risk transactions involving access to customer information or the movement of funds to other parties.'
While financial institutions and other private and public entities have begun to move toward stronger authentication, too often these solutions do not adequately take the impact on users into account. Some enterprises are distributing electronic tokens or code-cards to customers, some are using cryptographic cookies to identify the users' computers and others are adding an additional 'knowledge factor' (such as a PIN or private personal information).
Tokens, smart cards and code-cards require users to carry around yet another valuable item that can be lost or stolen. And since most users deal with multiple online businesses and institutions, they will likely end up having to deal with multiple devices and cards. More important, these methodologies verify the item, not the user. They still rely on a password or PIN as the only means of authenticating the actual person.
Biometric solutions, such as fingerprints or iris scans, offer the promise of password replacement but are not practical for large-scale online use. They require the installation of hardware that tends to be costly and unreliable across large user populations. Furthermore, biometrics are not 'secrets' and are easy to duplicate once in digital form. And, unlike a password, you can't change your finger or eyeball once it is compromised.
Software authentication solutions require programs or cookies to be installed on a user's computer. The technology is not potable ' the user must re-register with the system every time they go to a new computer or when their cookie cache is cleared. This is simply not an acceptable alternative for most users today.
As strong authentication becomes a requirement for consumer applications, user reaction and support costs become critical issues. Quite simply, if the customers don't understand or don't like a supposed security solution, they will find a way to circumvent it.
The ideal strong authentication solution must balance the needs and requirements of end users with the need for effective security based on what is at risk. It must validate the actual user, not just a device or piece of software. It must be something that can't be guessed, copied or stolen. It must be resistant to phishing and capable of alerting a target institution if an attack is underway.
This is a tall order to fill. But alternatives to the traditional password that fulfill most of these requirements are available; and these can be combined with other background monitoring and risk-management technologies to provide a robust and user-friendly solution. The combination of federal action with increased criminality and risk has made it necessary to rethink online security at its most vulnerable point. It's time for everyone with a stake in the continued growth of online activity to do what it takes to make the transition to a new era of online security.Paul Barrett is CEO of Passfaces Corp., an information security technology company based in Annapolis, Md.