While doing research for a recent cover story on single sign-on technology, many industry experts spoke to me about the dangers of "sticky-note identity management," where insurance employees have so many passwords to access so many different systems that they keep of track of each user name and password by plastering sticky notes all across their workspaces, compromising IT security in the process.
I was reminded of those discussions earlier this week when I read a story on the New York Times web site entitled "Goodbye, Passwords. You Aren't a Good Defense." The article appears below a photo illustration of a computer screen covered in password-reminder sticky notes.While the idea of sticky-note identity management is hardly a novel concept, the theme of the Times article was pretty out-there. It suggested that it was time to abandon password-based log-on procedures all together in deference to an authentication model that relies upon cryptographic "handshakes" between computers.
from the article:
As users, we would replace passwords with so-called information cards, icons on our screen that we select with a click to log on to a Web site. The click starts a handshake between machines that relies on hard-to-crack cryptographic code. The necessary software for creating information cards is on only about 20 percent of PCs, though that's up from 10 percent a year ago. Windows Vista machines are equipped by default, but Windows XP, Mac and Linux machines require downloads.
The article does recognize that any such change is a long, long way off but even so, I have to wonder whether eventually moving toward an "information card" verification system is even a practical endeavor. Certainly, the password paradigm has its weaknesses, but at least it allows users to access their various online accounts from any location. I'm no IT security expert, but it seems to me that this information card system would limit log-ons to specific computers.
With personal identification tied-in to specific machines, how would a user access his or her online accounts from, say, a library or an internet café? Could I jump online quickly and access my accounts if I was staying with a friend out of town?
For all the problems that password-based verification may present, portability is not one of them. Say what you will about single sign-on projects or OpenID initiatives (and the NYTimes article says plenty), but until a new verification security process comes along that users can take with them from machine to machine, passwords will remain the log-on method of choice.
My favorite part of the article actually wasn't written by anyone associated with the New York Times at all, but from a commenter, who summed things up quite nicely:
To someone who just wrote a cover story on single sign-on technology, the theme of a recent New York Times article was pretty out-there. It suggested that it was time to abandon password-based log-on procedures all together in deference to a authentication model that relies upon cryptographic "handshakes" between computers.
from the comments section:
We would all join hands and cheer if that was really the entire universe of computer usage . But it sort of misses the point, which is that a computer doesn't ultimately own a bank account, an amazon shopping cart, or anything else. A PERSON does, and we want to authenticate the person. Inasmuch as the person and the computer are one, it works. But what happens when I have two computers at home? Better, what happens when I have two computers at home and two at work? I'd like to be able to log into my bank account from where I am in case an urgent situation arises.
There are only two obvious ways to pull off a scheme without passwords, and that's to assign a certificate to the computer or a certificate to the person (unless the boys at Microsoft have really come up with something different). If I assign the certificate to the computer, then I have to have a way of registering every new computer I want to use, however temporarily, to access my data. How will you register them? Don't you dare say "with a password."