February 23, 2005 4:00 AM PST

Finding a replacement for passwords

Related Stories

Password imperfect

December 9, 2004

Gates: Passwords passe

November 16, 2004

Gates predicts death of the password

February 25, 2004

Passwords: The weakest link

May 22, 2002

(continued from previous page)

RSA technology--passing out a small number of the devices to customers for free. The company plans to decide later this quarter whether to expand beyond a few hundred early testers.

RSA said there are about a million consumers using its authentication technology, through a variety of pilot programs. Other companies that are eyeing the technology include financial institution Credit Suisse, Yahoo and Sony Online Entertainment.

Joffe said that Sony is "seriously considering" offering the RSA token to some of its customers. While game characters and points may not have the monetary value of a bank account, such identities are just as important to protect from online fraud.

"I wouldn't say (fraud is) a huge issue, but it's an issue," he said.

RSA's hope is that many number of companies will sign up for the program and that consumers would need only one token to manage a variety of accounts. Some businesses will give out the tokens free, while others may make customers foot part or all of the bill, the security provider believes.

Although the devices have the potential to help cut fraud, RSA Vice President Christopher Young said the company is selling consumers as much on peace of mind as on cost savings. He likens it to the alarm that guards his house.

"I haven't had anyone break into my home before," said Young, who until about two months ago was head of safety and security premium services at America Online. "It makes my wife feel more comfortable when I am traveling, and I travel a lot."

Tony Gentile, a San Jose, Calif.-based Web marketing consultant who runs a site called Buzzhit.com, said he would like to see a second method of authentication for many online activities, including banking, stock trading, Web-based health care and electronic voting.

But, he warns, any system is fraught with challenges. And he's not sure he or other consumers are ready to pay for it.

"The devil's in the details here," Gentile said. Tokens have a place, he said, but that place is not the same in each business. "What's appropriate for one type of business and usage pattern may be very different from another."

There is also the issue of convenience. While RSA's tokens are small enough to fit on a keychain, they are also easily lost. People might be amenable to carrying one token. Less appealing to people is the prospect of needing one device to verify themselves to a bank, then another for their stockbroker, and ending up with a bunch of tokens.

A solution would be for online service providers to agree on a single product or standard. For now, it's unclear whether companies will come to an agreement on this. RSA, for its part, said it will try and work not only with its devices, but also with similar devices from others.

End of the line?
Some analysts do see the password fading as the primary means of authentication, particularly for online banking.

In a December report, Gartner estimated that by the end of 2007, 60 percent to 75 percent of U.S. banks will use something stronger than a password, but stop short of giving out hardware tokens. Roughly 7 percent more will go as far as to hand out something like the RSA token, the research firm predicted.

Overseas, the overwhelming majority of banks will require something more than a simple password, with anywhere between one-third and one-half of banks requiring a hardware token, Gartner analysts said.

The bad news in Gartner study is that by the time many of these new systems become common, the thieves will have also moved on. By the

Previous page | CONTINUED:
Page 1 | 2 | 3

7 comments

Join the conversation!
Add your comment
Replacement for Passwords
So you think that getting rid of passwords, and using "tokens" will soleve the secrity problem?
Guess again. You must know that certain cars use something similar for ignigiion - and guess what:
the new electronic keys (or tokens) can be stolen, or duplicated. there is a fine balance between security via passwords, and (the next step in invading our privacy) tagging everyone with a chip. Is that to be your next suggestion, when the token do not work? Proper programing, that will not accept "easy to guess" passwords, is still the most "livable" way to go - along with ogther good policing/security measures. The limits of other means of programming and electonic based means have not even been scratched. Those in the related (secutity)fields (internet, ect.) have yet to make the effort to control spam and viruses that could be done. Where I work, we get in excess of 50,000 spam emails a day, and while thiose in charge of Internet security excuses themselves by saying that they cannot trace the originator, it does not even enter their mind, to go after those who pay the spamers to send out the adds. that is only an example of a related kind of problem. It seem that it is easier to creat another, money making gadget(?)??????
....that's my take on this
...Steve
Posted by stevezd (9 comments )
Reply Link Flag
Gosh, I Know---
How about something like a "...National BIOMETRIC ID-Card" with "intregal RFID" (or some equivalent electronic verification)? It could be required for every citizen to have one, ...just like the 'REAL-ID plan' already approved by the Senate (which, by the way, is being desperately pushed-forward by the 'Whitehouse')?

A citizen could insert their "ID" every time they 'booted' their "...Trusted PC" (in fact, within the "Trusted Computer" architecture it could quickly be made virtually impossible to use a PC without it).

And best of all, by requiring "positive ID" to use the Internet, "WE" could, finally, eliminate "fraud", "copyright-violation", "anonymous speech", etc., ...or even, that most dreaded malady, "privacy" itself.
Posted by Gayle Edwards (262 comments )
Link Flag
The Market Needs More Accurate Info
There seem to be a lot of opinions in the market for user authentication, which is no surprise. What is surprising is the lack of research data to back up the opinions voiced by leading authors and research firms. Token technology is not widely understood to begin with, and influential opinions without facts behind them create greater misunderstanding.

A token is nothing like the key fobs used in a car ignition system. Think of a token as a secure secret. Instead of sharing the secret to gain access (like you do now with a password, social security number, etc.) the token uses an embedded secret (the algorithm) to generate a one-time code based on time of day or an internal counter. The only way to confirm that this one-time code is correct is to have an encrypted copy of the secret on the back-end of the system being accessed. The secret on the back-end also generates a one-time code which is compared to the code the user enters. If the codes match, the correct token is being used and access is granted. At no time is the actual secret in the open. Many of today's algorithms use 3DES - you can look it up if you are interested in cryptography but bottom line is that it has not been cracked and would not be economically feasible to try.
Posted by (1 comment )
Link Flag
PC Security
I am all for all MAKES & MODELS of pc's, including homebuilt, and custom built pc's having a thumbprint reader as a secure login device. This can be used for home & corporate pc's. This may also be used for secure web site access only when the PC is shared by the entire family there still can be the one standard password to boot the system, but parents can control Internet surfing content, chat room content, and specific files and folders via the thumb print scanner. This would prevent children from accessing porn or adult chats, keep them out of private or financial files & sites without a parents need to keep a log of all the various password used for different web sites which can be found all too easily by children or misplaced by the adult while trying to prevent the children from finding the password file/log. This is the simplest form of securing one data, and personnel computer from being accessed with out proper authorization. With todays back-up equipment & technologies this thumb reader could cause a complete data loss if tampered with. If only a similar technology could be used to prevent hacking of data through DSL, Cable, and Dial-up connection's it would be great! If a hacker or a Trojan were to access critical or protected files it would automatically cause the drive to reformat it self or crash in such a way that a recovery program or back-up program would be the only way to get the PC rebooted would vastly increase the protection of data. I give as an example people I have seen with modified scanners listening in on early analog cellular phones, cordless phones that ran in the 800mhz range, and you can be sure that there are people scanning the new 2.4ghz cordless phones. I waited until digital phones came out because they were virtually impossible to listen in on which is part of the reason the government was un-happy with most digital suppliers early on, they have now gotten this access with the GPS positioning set-up for 911 calls to allow emergency services to find the caller supposedly to as close as 10 meters or better. if you turn of this feature on most phones you loose features, so in order too keep all your services working it needs to be on.
Posted by wino460 (1 comment )
Reply Link Flag
keep a log
<a class="jive-link-external" href="http://www.analogstereo.com/renault_laguna_owners_manual.htm" target="_newWindow">http://www.analogstereo.com/renault_laguna_owners_manual.htm</a>
Posted by Ubber geek (325 comments )
Link Flag
Password imperfect
Passwords are no longer the hard codes to break.What maximum a normal guy can set as password?
1.His name/Nickname+123
2.His wifes name/Nickname+ilu
3.His pet's name
4.His son's or daughter's name
5.His birthdate
6.His wife;s birthdate
7.His anniversary date
8.His car number
9.His initials and emplyee number
10.His aniiversary
11..the list is long but definitley predictable

Hence even if you change your password everyday..one day or the other ..it will be hacked
Posted by (3 comments )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.