"The devil's in the details here," Gentile said. Tokens have a place, he said, but that place is not the same in each business. "What's appropriate for one type of business and usage pattern may be very different from another."
There is also the issue of convenience. While RSA's tokens are small enough to fit on a keychain, they are also easily lost. People might be amenable to carrying one token. Less appealling to people is the prospect of needing one device to verify themselves to a bank, then another for their stockbroker, and ending up with a bunch of tokens.
A solution would be for online service providers to agree on a single product or standard. For now, it's unclear whether companies will come to an agreement on this. RSA, for its part, said it will try and work not only with its devices, but also with similar devices from others.
End of the line?
Some analysts do see the password fading as the primary means of authentication, particularly for online banking.
In a December report, Gartner estimated that by the end of 2007, 60 percent to 75 percent of US banks will use something stronger than a password, but stop short of giving out hardware tokens. Roughly 7 percent more will go as far as to hand out something like the RSA token, the research firm predicted.
Overseas, the overwhelming majority of banks will require something more than a simple password, with anywhere between one-third and one-half of banks requiring a hardware token, Gartner analysts said.
The bad news in Gartner study is that by the time many of these new systems become common, the thieves will have also moved on. By the end of 2007, half of today's stronger methods of authentication will no longer be strong enough to foil phishing or other online attacks, the report's authors said.
While technology providers have focused on hardware devices as a secondary means of identity authentication, research has come up with less costly replacements for the password.
Talkback
What's all the dithering about, and whats all this talk of tokens. If companies or people are worried about carrying hardware then don't.
There is only one thing that will make it for a pwd replacement, that is biometrics plane and simple.
Home/Company desktop PC's already have scanners, mobile phones are soon to get them in the west. I will always have my finger with me, or eye etc... biometrics is so slap in the face obvious it gets on my nerves that banks don't do it already.
The banks may be reluctant to hand out hardware to make things more secure but I am also reluctant as a user. If I want to check my account online at work and at home I will need to carry these things around with me and they may get lost or damaged not to mention that I may have more than one online account.
Fingerprint scanners built into a mouse will work much better. If it becomes an industry standard then manufactures will make them cheaply and they will soon be everywhere.
Having worked in the IT industry for over twenty years I have seen quite a number of techniques for storing and retrieving data. The one lesson I have learned is that you never trust users to look after their own data. Sometimes even a password is a chore!
Eventually people will realise that the only way for people to 'reliably' access their data and associated facilities (ie credit, public and private access to premises etc) is by having a small chip implanted. That way they can't leave home without it. Don't have to remember card, don't have to remember password, don't have to remember keys, don't even have to remember who you are! With Chip readers everywhere and everyone carrying around their own KEY to the information and not the actual info itself. I'm amazed nobody has thought of it before.
Or maybe they have and are just waiting for the right opportunity to implement it?