Passwords are like pencils: They have been overtaken by superior technologies but have resisted all attempts to kill them off. They survive because they are portable and flexible in ways that more-advanced alternatives are not.
"Passwords are great," says Paul Kocher, president and chief scientist of San Franciscobased Cryptography Research, which provides sophisticated information security systems to banks, corporations and government agencies. "Except for security, passwords are pretty much ideal. For security, they are 99 percent broken."
Kocher notes that "a huge amount of work" has gone into developing better systems for authenticating individuals logging on to computing devices or online services. "The question is, will it succeed? There is nothing at large scale that seems likely to replace passwords."
Security experts have been warning for years about the vulnerability of passwords. We've been living in a world of 50-year-old technology," says Phillip Dunkelberger, a Silicon Valley veteran who is president and CEO of Nok Nok Labs, a two-year-old company selling stronger authentication approaches.
Together with Ponemon Institute, a research firm specializing in privacy and data protection issues, Palo Alto, Californiabased Nok Nok published a survey in April indicating consumers' openness to more-reliable technologies. When asked to name their preferred biometric methods for identity verification, more than 80 percent of nearly 2,000 "technology-literate" respondents in Germany, the U.S. and the U.K. listed voice recognition, followed by 70 percent for facial scans and 60 percent each for hand geometry and fingerprints.
Taking strong authentication mainstream will require not just mass acceptance but also an ecosystem of technologies, support services, corporate users and in some cases regulatory approval and that is beginning to take shape.
The need for something better is obvious given the epidemic of identity theft and headline news like the April 23 hack into the Associated Press's Twitter feed, which spread false reports of explosions in the White House. That event set off predictable calls for stronger verification for Twitter accounts, perhaps by adding a biometric method. Adding a fingerprint or other incontrovertibly unique identifier to a log-on name and password delivers so-called multifactor authentication and certainly a higher comfort level.
Such approaches are common in the corporate world. Bank employees sign in using one-time personal identification numbers generated by portable tokens like EMC Corp.'s SecurID products. Many of the 315,000 users of Bloomberg Professional terminals log on with fingerprints; the financial data network introduced biometric authentication in 2001.
Expanding from corporations to the mass market requires a leap in logistics and economics. Cryptography Research founder Kocher points out that a financial institution would find it reasonable to spend $50 per employee to implement higher-order authentication. But it would likely consider $50 per customer prohibitive, he says, although it might be cost-justified in certain "high-value relationships" to issue, say, a smart card with an embedded chip that better secures the password and can store other identity data.
On the technology front companies such as California-based Fortinet, Poland's Rublon and Sweden's Keypasco and Yubico are marketing two-factor security enhancements, if not a path completely away from passwords.
Nok Nok Labs' mission is to reduce or eliminate reliance on log-in names and passwords, using what it calls unified authentication infrastructure to accommodate any number of biometric and nonbiometric methods and manage the transition from legacy systems. Underlying the architecture is the online secure transaction protocol, which is open to other vendors. Dunkelberger, for one, believes collaboration will be necessary to change the old order. He is behind the Fast IDentity Online Alliance, formed last year to set device interoperability standards and address "the problems users face with creating and remembering multiple user names and passwords."
A U.S. government initiative, the National Strategy for Trusted Identities in Cyberspace, calls for public and private sector participation in an "identity ecosystem that improves on the use of passwords and user names."
"I do not know whether any of these groups or another entity will be successful in solving our authentication challenge," Federal Reserve Bank of Atlanta payments risk expert Douglas King blogged in April. "I know fraudsters are hoping their success isn't anytime soon."
Jeffrey Kutler is editor-in-chief of Risk Professional magazine, published by the Global Association of Risk Professionals.