Are we reaching a stage where passwords need to be replaced by two- or even three-factor authentication methods and is there a future in federated identities?
"George?" Not normally a question that requires an answer, but this was the challenge used by the American airborne during Operation Huskey one in WWII to identify each other during night operations. Failure to respond with the password 'Marshall' would generally be met with a fatal reply. Use of passwords dates from much earlier than the mid 20th century, with documented accounts of password distribution available for the Roman military, as well as Masonic scholars.
Suggestions that the life of passwords is at end for information systems have been mooted for a number of years, however much like the wholesale adoption of single sign-on, such assertions have failed to materialize, writes Raj Samani of ISSA UK. The logic behind their demise is understood; passwords have a number of vulnerabilities that range from non-repudiation, subject to guessing, brute-forcing, etc.
Alternatives such as two-factor authentication address most of these issues, if not all, but the one thing they fail to address is the ease of use and implementation. Before consigning passwords to the digital scrapheap, consider the resources that need to be protected - a password may well be an appropriate control.
After all, the purpose of security professionals is to ensure that the resource (asset) is protected in a way that mitigates the risk to the level (and at a cost) the business is comfortable with by the most effective means. Trying to justify a three-factor authentication rollout that may cost millions to protect resources worth a few thousand pounds is a shortcut to losing credibility in the boardroom.
The popularity of the password also allows the organization to connect with other organizations to generate federated identities far quicker than normalising alternative authentication methods between organizations. Where confidentiality was the buzzword for security, and in particular putting data under lock and key for any external parties, the B2B model allows businesses to harness the power of collaboration between people, all of which means the need for federated identities will only continue to grow.
Back to Security ThinkTank
This was first published in August 2010