Unlimited long distance $24.99/mo
By that I mean that I have far too many Net IDs and passwords. There's really no hope of me ever remembering them all, so I've become a case study in bad security habits. I write them down. I pick easily guessed passwords and invent ever more creative ways of spelling my dog's name. I e-mail passwords to myself. And I reuse them--over and over and over.
The world is awash in Wi-Fi zones. High-speed cable and DSL are rampant. Intel CEO Craig Barrett tells me that ubiquitous wireless access--WiMax--is just around the corner. Still, I have passwords and usernames scrawled on yellow stickies plastered to my monitor. There's something wrong with this picture.
I thought that by now, things like Microsoft's Passport would have delivered us to the promised land of federated single sign-on, where we have only one password-username combo to remember, and everyone knows our name.
But Passport is in shambles. One of Microsoft's most prominent Passport partners, eBay, said just after the holiday shopping season that it would stop accepting Passport log-ins from its customers. Online job site Monster.com dropped support for Passport on Oct. 22. And a list of sites that had partnered with the software giant has vanished from the company's Web site.
Passport's demise comes even as Microsoft Chairman Bill Gates continues to tell us that passwords are evil and will soon become passe. OK, I buy that. Microsoft has kicked off a new internal system that uses smart cards to bolster security. But what about the rest of us?
Well, for businesses looking to secure internal systems and links to partners, the news is encouraging. Microsoft's one-time rival in the single sign-on technology race, the Liberty Alliance, continues to sign up software makers and big companies that pledge to build Web sites and products that support federated identification.
But the 150 Liberty members still need to build support for Liberty's specifications into products. That takes time.
Microsoft and RSA Security teamed to produce a security device called SecurID for Windows, which debuted last fall. The device generates a constantly changing sequence of numbers that a user has to type in alongside their normal password in order to log onto corporate networks.
The recent focus on regulatory compliance, thanks to things like Sarbanes-Oxley and the Patriot Act, have driven big companies to get serious about secure identity management. Technologies such as enterprise single sign-on are gaining steam to lock down intracompany communications. And central provisioning software helps take some of the manual labor and error out of granting access to corporate applications.
Since identity theft has become the fastest-growing type of crime in the United States, according to Forrester Research, it seems in the best interest of businesses--particularly online retailers--to protect consumers.
However, little has changed in the consumer area. Microsoft tells us to be patient and wait for Longhorn, which should make it easier to manage identity on desktop machines and Windows-based servers. An update coming later this year for Windows Server 2003 will include identity federation technology, but that is aimed mostly at securing business-to-business communications.
The big idea for the future of ID management is electronic smart cards that securely identify people online and allow them to have different personas, according to Microsoft's top security strategist, Scott Charney. But don't hold your breath: We're talking the future.
So where does that leave us? Juggling passwords and keeping the yellow-sticky people in business. There's got to be a better way.
Biography
Mike Ricciuti is CNET News.com's Cambridge, Mass., executive editor and bureau chief.
See more CNET content tagged:
Microsoft Passport,
single sign-on,
Liberty Alliance,
identity federation,
smart card
Some of them (SignupShield by protecteer.com) are fine tuned to help users fight Phishing. They do so by alerting them in real-time when they are about to be "phished out - allowing them to abort submission of sensitive information"
Password managers do not completely solve the problem but they are a very good interim solution until better infrastructure is inplace.
Another great thing if you have a thumb drive, you can store your password on the thumb drive, essentially creating a "key" to start your password database. This is an absolutely awesome program, and will allow you to send those sticky notes to yellow note heaven.
and built a system available as Open Source that lays the
framework. Ironic that in order to comment on this story, I
needed to create yet-another-account!
and I am still blocked from using my account because they refuse to recognize my information so I can't change my password--therefore I can't use my account, that has all my information, address book, photos. Please help me try to figure out a way to make Yahoo accountable and get my to my account. Thanks
Isabella Hale
mustomusto@yahoo.com
(emergency back up account)
After all security is about a gate keeper being convinced you are who you say you are. No amount of shared secrets addresses the total weakness of token based systems including RSA's/MSFT's approach.
The only system that comes close to closing this gap is biometrics with a liveness test, ps finger prints etc fail at this. The only system I know of to do this is speech based with a liveness test. For example, say this 'phase choosen from a 10,000 work dictionary' with speaker verification.
Check out www.vocent.com.
The solution can only come from a universally adopted/accepted/mandated security standard - even passwords have varying degrees of security (e.g. c|net requires only 6 letter/number combinations while others require at least 1 letter and 1 number and a special character as the login and password!!)
Smart cards and biometric devices (retina scan/thumbprint ID systems) are great, but every machine that accesses the Internet or computer network needs to have the interface. Can you imagine having a retina scanner for your Web-enabled wireless phone? Actually that might not be too farfetched.
But that too opens the can of worms screaming "RIGHT TO PRIVACY!" ... "RIGHT TO PRIVACY!" The more secure you want to be, the more you have to reveal about yourself. A Catch 22 of sorts.
Well I've rambled long enough. Thanks for reading.
something additional, like a biometric device or random number
generating device- wouldn't it be easier to just use something
most of us already have? like a phone perhaps. Here's a link if
this interests you http://www.sftnj.com
See also this piece on federated identity management:
http://news.zdnet.com/2100-1009_22-5535345.html
It includes your email address, web presence as well as digital passport and extends to your social networking personas.
Start with a permanent email and web presence. Stop using Yahoo, AOL or Hotmail. Use a self-branding identity like that offered by PW Registry (www.pwregistry.pw) which offers 100% of the world's surnames, ethnic groups and random strings. This will provide you with an ISP independent spam-free email address and personal website.
Then layer on a digital passport from identity Commons called i-names. This will handle your single sign-on and social networking activity.
You can start using these now and never have to change your address again.
Tom