As online scams get more sophisticated, passwords are becoming hopelessly outmoded -- as passé as floppy disks.
Yet many businesses and nearly all consumers still rely on passwords as the primary means of verifying who they say they are.
At last week's RSA security conference, Microsoft Chairman Bill Gates sounded once again his well-worn call for an end to passwords, while on the show floor, companies touted gadgets to help verify identity.
There's plenty of technology that could augment or replace the password, from smart cards to password-generating tokens to mobile phone-based systems. They have yet to catch on. One hurdle is that it can be inconvenient to have to keep a piece of hardware handy. But the real problem, analysts said, is that neither businesses nor consumers appear ready to pay for them.
"Every bank I talk to doesn't want to hand out tokens," Gartner analyst Avivah Litan said. "They're too expensive."
The cost of such a service is not insignificant. For instance, companies that have signed up for RSA Security's corporate hardware tokens pay on average $35 to $40 per employee as part of an annual service deal. However, a consumer service could cost a bank or other online service provider far less, if they hand out hundreds of thousands or millions of the gadgets.
Passwords are seen by many experts as a weak link in the security chain. A well-circulated research paper from 1979 noted that a significant share of passwords could be easily guessed in less than 5 minutes -- and that was when punch cards were popular.
Web shops, online banks and other companies doing business on the Internet recommend that customers choose a password that is easy for them to remember but hard for someone else to guess. The reality is that the converse is usually true. Few of us can remember all of our passwords, and yet the bad guys, armed with sophisticated software, can crack most passwords in a matter of minutes.
RSA's SecurID token, which generates a one-time password (OTP) every few seconds, is only one of the hardware products on the market that aim to bolster security for consumers. Credit card-size smart cards slot into a reader and can be part of two-factor authentication. In this system, two ID elements -- the smart card and a PIN, for example -- are used to restrict or monitor access. A USB token works like a smart card, but plugs directly into a PC, instead of into a special reader. Another system sends one-time passwords via text message to a customer's registered mobile phone.
Talkback
What's all the dithering about, and whats all this talk of tokens. If companies or people are worried about carrying hardware then don't.
There is only one thing that will make it for a pwd replacement, that is biometrics plane and simple.
Home/Company desktop PC's already have scanners, mobile phones are soon to get them in the west. I will always have my finger with me, or eye etc... biometrics is so slap in the face obvious it gets on my nerves that banks don't do it already.
The banks may be reluctant to hand out hardware to make things more secure but I am also reluctant as a user. If I want to check my account online at work and at home I will need to carry these things around with me and they may get lost or damaged not to mention that I may have more than one online account.
Fingerprint scanners built into a mouse will work much better. If it becomes an industry standard then manufactures will make them cheaply and they will soon be everywhere.
Having worked in the IT industry for over twenty years I have seen quite a number of techniques for storing and retrieving data. The one lesson I have learned is that you never trust users to look after their own data. Sometimes even a password is a chore!
Eventually people will realise that the only way for people to 'reliably' access their data and associated facilities (ie credit, public and private access to premises etc) is by having a small chip implanted. That way they can't leave home without it. Don't have to remember card, don't have to remember password, don't have to remember keys, don't even have to remember who you are! With Chip readers everywhere and everyone carrying around their own KEY to the information and not the actual info itself. I'm amazed nobody has thought of it before.
Or maybe they have and are just waiting for the right opportunity to implement it?