Security Zone: why we should be more concerned about password authentication

Passwords as the last means of protection beyond physical control have remained essentially unchanged for more than half a century. From a technology perspective, this single control is no more or less weak than it was when it was created during World War II. Yet the concept of the password has changed dramatically, writes Jason Hart, senior vice-president, Europe, at CRYPTOCard.

From a specialised, highly confidential code which was treated with respect, in today's world of ubiquitous social networking online it has become a commonplace means of accessing a range of personal and business services and information.

There are now many more ways in which we can access the web for both business and personal use - via laptops, handheld devices and remote terminals. Moreover, despite awareness efforts to promote secure password etiquette people naturally default to what is easy - using the same memorable password to access all of their services, whether it is online banking or Facebook.

As a result, the passwords themselves have become ubiquitously available, leaving their owners and often their employers vulnerable to data theft. Although corporations have invested heavily in securing systems and infrastructure, there remains an over-reliance on passwords to control or authenticate the access of the people using the services they support.

Two-factor authentication (2FA) - combining a physical card, soft or SMS-based token which generates a one-time password with a memorised personal security code - has emerged to provide more robust protection. Originally the domain of high-value transaction-based services such as online banking, 2FA is increasingly seen as a viable option for general internet-based commerce.

This is partially due to growing recognition of the problem. It can also be attributed to the introduction of passwords-as-a-service options, which are bringing the benefits of the cloud to the authentication market, so that SMEs can benefit from on-demand strong authentication without the need for up-front investment, integration of expensive servers or on-going support overhead. Even individuals who are becoming savvy about protecting their identity for their own benefit are beginning to appreciate such an ability to interact securely online.

Looking ahead, in meeting market demand for greater flexibility, software and SMS tokens will increasingly replace the physical device and integrate soft 2FA into the end-point device such as the laptop or Blackberry. At the same time, the ability of cloud-based authentication to reach out across multiple portals and applications will also provide the essential platform for developments such as federated ID, where an individual will use the same token to access their home-shopping account as in their professional business dealings.

We can expect the development of authentication to have close parallels with the growth of anti-virus systems.

Anti-virus has moved from "nice to have" status at a time when the level of threat was minimal to become an essential part of any computer installation. And as the risk advanced, so has the effectiveness of the solution. It is time to realise that passwords are outdated, while the availability of a more effective method of authentication has become essential.

Security Zone: read more advice from (ISC)² qualified security professionals >>