One alternative is a picture-based password. Instead of remembering a word or digits, a user would click on a specific part of a large digital photo. Another idea is that a series of random numbers or letters appear and you enter the letters for your password based on a shape that you remember. While perhaps more difficult for random thieves to guess, some have warned that such graphical passwords might be more easy for a co-worker or other passers-by to spot.
Another suggestion has been to use unique personal traits, such as fingerprints, as a means of authentication. Although there are a handful of notebook, handheld and desktop computers that come with fingerprint readers, such biometric technology is not widespread enough to make it a standard method of verifying identity. Voice prints are another option, but until speech recognition improves in reliability, customer frustration could be high.
Still life in passwords
Despite all the criticism of passwords, not everyone thinks they are past their prime.
Richard Parry, who is responsible for assessing threats for consumer banking giant JP Morgan Chase, argued that too much attention is being given to Internet security fears in general and passwords in particular.
"It would be untrue to say (the password) is not still working for us in many applications," Parry said. "Whether it is sustainable is another question."
Parry pointed out in a panel discussion at the RSA show that in any 24-hour period, more money will be lost from burglary than from Internet fraud. "The sky isn't falling," he said.
That said, he noted that two-factor authentication is already in relatively high use in financial institutions for very wealthy and corporate customers, as well as for certain large transactions. JP Morgan Chase's own workers use RSA's tokens, for example. He did note that such measures probably don't make sense for the masses, where two-thirds of bank accounts contain less than $1,000.
In the background of the debate over passwords is the suggestion that if online banks don't tighten security, US regulators may force them to do so. In places like Singapore and Sweden, laws already require stronger means of authentication. And a December FDIC report says that the industry's reliance on passwords "offers an insufficient level of security" and suggests hardware tokens may be the way to go.
Parry is particularly concerned that well-intentioned regulation could have economic drawbacks for service providers.
"Some regulation is good, and regulators have every right and even an obligation to be concerned," he said. But "regulation as a blunt instrument could dramatically increase costs."
Talkback
What's all the dithering about, and whats all this talk of tokens. If companies or people are worried about carrying hardware then don't.
There is only one thing that will make it for a pwd replacement, that is biometrics plane and simple.
Home/Company desktop PC's already have scanners, mobile phones are soon to get them in the west. I will always have my finger with me, or eye etc... biometrics is so slap in the face obvious it gets on my nerves that banks don't do it already.
The banks may be reluctant to hand out hardware to make things more secure but I am also reluctant as a user. If I want to check my account online at work and at home I will need to carry these things around with me and they may get lost or damaged not to mention that I may have more than one online account.
Fingerprint scanners built into a mouse will work much better. If it becomes an industry standard then manufactures will make them cheaply and they will soon be everywhere.
Having worked in the IT industry for over twenty years I have seen quite a number of techniques for storing and retrieving data. The one lesson I have learned is that you never trust users to look after their own data. Sometimes even a password is a chore!
Eventually people will realise that the only way for people to 'reliably' access their data and associated facilities (ie credit, public and private access to premises etc) is by having a small chip implanted. That way they can't leave home without it. Don't have to remember card, don't have to remember password, don't have to remember keys, don't even have to remember who you are! With Chip readers everywhere and everyone carrying around their own KEY to the information and not the actual info itself. I'm amazed nobody has thought of it before.
Or maybe they have and are just waiting for the right opportunity to implement it?