February 23, 2005 4:00 AM PST
Finding a replacement for passwords
(continued from previous page)
end of 2007, half of today's stronger methods of authentication will no longer be strong enough to foil phishing or online attacks, the report's authors said.
While technology providers have focused on hardware devices as a secondary means of identity authentication, research has come up with less costly replacements for the password.
One alternative is a picture-based password. Instead of remembering a word or digits, a user would click on a specific part of a large digital photo. Another idea is that a series of random numbers or letters appear and you enter the letters for your password based on a shape that you remember. While perhaps more difficult for random thieves to guess, some have warned that such graphical passwords might be more easy for a co-worker or other passersby to spot.
Another suggestion has been to use unique personal traits, such as fingerprints, as a means of authentication. Although there are a handful of notebook, handheld and desktop computers that come with fingerprint readers, such biometric technology is not widespread enough to make it a standard method of verifying identity. Voice prints are another option, but until speech recognition improves in reliability, customer frustration could be high.
Still life in passwords
Despite all the criticism of passwords, not everyone thinks they are past their prime.
Richard Parry, who is responsible for assessing threats for consumer banking giant JP Morgan Chase, argued that too much attention is being given to Internet security fears in general and passwords in particular.
"It would be untrue to say (the password) is not still working for us in many applications," Parry said. "Whether it is sustainable is another question."
Parry pointed out in a panel discussion at the RSA show that in any 24-hour period, more money will be lost from burglary than from Internet fraud. "The sky isn't falling," he said.
That said, he noted that two-factor authentication is already in relatively high use in financial institutions for very wealthy and corporate customers, as well as for certain large transactions. JP Morgan Chase's own workers use RSA's tokens, for example. He did note that such measures probably don't make sense for the masses, where two-thirds of bank accounts contain less than $1,000.
In the background of the debate over passwords is the suggestion that if online banks don't tighten security, U.S. regulators may force them to do so. In places like Singapore and Sweden, laws already require stronger means of authentication. And a December FDIC report says that the industry's reliance on passwords "offers an insufficient level of security" and suggests hardware tokens may be the way to go.
Parry is particularly concerned that well-intentioned regulation could have economic drawbacks for service providers.
"Some regulation is good, and regulators have every right and even an obligation to be concerned," he said. But "regulation as a blunt instrument could dramatically increase costs."
7 commentsJoin the conversation! Add your comment