Network Security & Hardware - eWeek


Battery 500 Project Charged Up over All-Electric Cars
Charting the Final Frontier--Google Maps for Indoors
Get Smarter Technology on Your Mobile!
  Network Security & Hardware


Are Passwords Passé?



 By: Paul F. Roberts
2006-02-17
Article Rating:starstarstarstarstar / 0


There are 0 user comments on this Network Security & Hardware story.


Rate This Article:
Poor Best
Secure cards and tokens could usher in a sea change in authentication.

SAN JOSE, Calif.—When Bill Gates stood before an audience of IT security experts at the RSA Conference Feb. 14 and declared that "passwords dont cut it," many in the audience took it as evidence of another sea change in the technology market and a sign that strong authentication has finally arrived.

Major announcements from Microsoft, VeriSign, RSA Security and a host of smaller vendors at the conference gave weight to the words of Microsofts chairman and chief software architect, as well as a sense of excitement to the staid market for secure cards and tokens. Microsofts entry into the secure authentication market could spur adoption of the technology.

All of this means more and better choices for enterprise IT managers looking beyond relying on only user names passwords.

However, users could soon end up holding onto a fistful of strong authentication tokens as companies scramble to introduce the technology for their customers.

The shift in thinking about strong authentication is evident even among early adopters of the technology, such as ETrade. The online brokerage was one of the few to offer RSA SecurID tokens to all its customers. ETrade used the SecurID technology internally before extending it to customers but is now looking to offer its customers alternatives to the tokens, said Rob Shenk, vice president of retail banking at ETrade.

"These are [users] who have a habit of leaving their car keys in interesting places," Shenk said.

Resource Library:
ETrade is now looking at "everything and anything" that might be an alternative to a dedicated secure token, including soft tokens that can generate one-time passwords on cell phones and other devices, he said.

Anti-fraud services appear to be the next battlefront for IT security. Click here to read more.

Microsofts new InfoCard technology, which Gates unveiled at RSA here, should make alternatives to SecurID easier to deploy. The new Microsoft CLM (Certificate Lifecycle Manager), now in beta, simplifies digital-certificate issuance and smart-card provisioning using technology built into Windows and Active Directory. Microsoft built support for the technology into Internet Explorer 7, the next version of the companys Web browser. Microsoft is also updating Active Directory and programming tools to make it easier to tie in strong user authentication to new applications.

"What Microsoft will do is accelerate the implementation curve for secure authentication," said John Oltsik, an analyst at Enterprise Strategy Group.

InfoCard won early backing from VeriSign Feb. 15 when CEO Stratton Sclavos used his RSA keynote address to announce that the VIP (VeriSign Identity Protection) secure sign-on technology will work with InfoCard in IE 7.

VIP is a shared authentication infrastructure that has the backing of eBay and its PayPal payment service, as well as Yahoo. It allows consumers to use a single security device, such as a USB token, to authenticate themselves across VIP-enabled Web sites. The service was widely seen as an alternative to the InfoCard network. But Sclavos demonstrated how InfoCard users with IE 7 could use that technology to securely sign on to a VIP network.

However, other major authentication vendors were absent from Microsofts push on InfoCard. Chief among them was RSA, which announced a deal with Microsoft two years ago to build support for the companys SecurID token into Windows. That integration has been plagued by implementation woes and lower-than-expected adoption, and it was a card from smart-card maker Axalto, not RSAs SecurID, that Gates held onstage to demonstrate InfoCard.

RSA plans to work with Microsoft to integrate SecurID with InfoCard, according to Bill McQuaide, senior vice president of RSAs Enterprise Solutions Group. However, the Bedford, Mass., company is pursuing its own partnerships to expand the reach of SecurID.

Feb. 14, RSA officials said the company is expanding its RSA SecurID Ready partner program that would increase the number of devices with embedded SecurID authenticators. RSA would extend relationships with Microsoft and Research In Motion and striking a deal with Diversinet to provision SecurID credentials through wireless and desktop synchronizations, officials said.

RSA also introduced a browser tool bar based on the SecurID technology that can generate one-time passwords, as well as the SID900, a transaction-signing token that can be used to sign high-value transactions and generate one-time passwords for user authentication.

For advice on how to secure your network and applications, as well as the latest security news, visit Ziff Davis Internets Security IT Hub.

RSA plans more announcements in the coming months regarding InfoCard and the companys efforts to get SecurID onto more and more systems. One of those deals may be with Axalto, the smart-card maker whose Cryptoflex .Net smart card showed up in Gates keynote, according to Art Coviello, RSAs CEO.

Marvin Tansley, Axaltos vice president of product management, declined to comment on that deal but acknowledged that the advent of unified authentication platforms such as InfoCard and VIP will shake up the authentication market.

"Unified authentication platforms will make [multifactor authentication] as prolific as making a phone call," Tansley said. "If you come up with a platform for unified authentication based on open standards, like OATH, you also cure all the problems that have made it hard to convince people to provide strong authentication."

Diversinet CEO Nagy Moustafa agreed. "Its not about the technology; its about the flexibility. Users dont care whether theyre using SecurID or OATH," Moustafa said.

Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.



  Reader Comments: Are Passwords Passé?
>>> Be the FIRST to comment on this article!
 

 
 
>>> More Network Security & Hardware Articles          >>> More By Paul F. Roberts
 


xr80VӮc]mT![rYST婎PP$$M8NK3n&t$_ϖ˖0$D"w?IpurF5g6%E}"I~x(~`\˩IZNڶ? }~mkru{#|6%?w *s=NNKVgMFھlMe#k_gp,cw5h{=D@~5{sr!&2}<K;="?+B#]2IXߦðuɷ~{Xe;'7 )*X^P~D;q #|=x:a/M˟ l׸ڮUX'[vB1BE/u#wJ;rMG9"QcO$աUqLJAtf>D>8z v v=rJ53' =K;O=kN]w=jP?b@2hưaqpl2XpaRb5#Ϟ~b[>4:]dU~Ʒ@7F;s#27 .wQKvTmCO|lMS>I uaGHu3o3hmwyakjtUP)^}m˙=Zip'Z j^v9(֝;` nKVa*.ۧ7nG:[A\`'H |'[DR*rP8$ȇ¤;|5 P%Pa)ڱVP\FZ<," J2zĢ!IukϦUus}Huz~rn!|'9ĠV*PFbЊ%+gxo_-:nϚϗfK:7>mu3ɀ&dXAZ|]kU[_oG߮C&󁭡JAͼ94o o$E@;- u k+UykQ 4+@_x0ND=kSfIr(,eg{j MH5Ŧ]`)ehFS$%/^P%P샖_΢[2jFt*軤(If0{A0<^f/_\RG 2 p1S{".Ӱuarv|ZnV͉*YXYujZlY?iQwΨ~j>ݴ{ݹvem|hUbyƆƇj",$uuTSt*t o|5"o+ rϏMf[ԑpl uu~L>NP}2=jZIm;Ni|Q}Ѧ>R?[iH'0i+GݺzNӰ=Uԇ5D%7 l"&q}3 к`y&@[@[衟#j{t t,/= 0/ Zm88ʼ E]ub3Bݷ|{ њ떭,L<ģ̠>NC|'s\(Lw^ z""D%  h4A'EENN@@ww$]I+Tbz"ҶBIcvn KŔ=*%nqR%a 3ʬ$&vφaZLboD6], S m3-mu{6 z`Nơsyj尤vQ#U^ğ/;*XgF0-/Aw)7˘[áeX4FLST2v)(f+7oTRԛЦ5SsGXdfLAuϝ0h Jdw@`Wvg.gKz4'*J^r_OO)Hj`>J7nZALM2t͏E=kb$`~f =DN)MKϵ("ݩ?vLO7]<t<}Oef/aRz냽ܮ;K9s3/'x/ ƌ0;h'0^˒o|V?>]Hk )2)<:`rUTՑn vOGA.CMtAj?X,@ ܠYaiCZ,Y~B)'-_k1 &D@weOU)&Uj l|`ZsnG<֔H+  c4}52*jAe߯YYXY :i3 9& ~'H5y3V9y^%fR+a1-*=>]6AP,4Ϧy3iqS2ܪ+_eSa51tY E5`|l'We7M3*PZJp9փ ` 뼂RUFWӛMO U!7TՀN>MGnRH|X%7:iu[<$ceUCUX)TԒ/YXᐫNvd iW&\x&\_{3Ƌb(Q^aTW">)wD<7ϰ;b}Nb 4PG }ʴWՄθā1O?f-$NM6fDz}A>2Tlɪ+> tVB gI; #Ftwe4qyh7(jMi@h# ;wk~ʾnUR#l VVJr=ȥe0F\0R,W1<ʢ'r]N6._-Jvq *s>P|ɷonjCSXp| ^?KHHD>DQkz\{e"nxB* gF Dssb^f>Q*o[/I]S0:;ld}g]Itm;?"CuzY}8q~_w8u;WGA{L[(E@?^-MԸ]@MC~WֿH㇛ΧԾl|hc4.[mj2}i&A)`]0|̮׍f}Aц.Zg0BV@ɁtzΥsٸо_>\tn)crѾjI^zkΓ!7EBVç=Mxi)qm2XG42p\8$Ø/=^q@ښҹin8`LBX5c-IgB A0q4fRxy~ïnUk~  $*`AQ1@+JF4ƗvZfp4z"BtX 1u}E/b)%Q\(둞,:48Ql6w FWE'k+ e{--'2}m!џ.` eIba+f+Igҹ8 $ubS`݅{_.Zs; 0i!Q2 7?%E:[7@Gdl&u"J M5"Jv-{BQJ;DQ2u?Ic6vYX[MxAS2%ɩ$E=)!*ښI$"8J542 eI? Md4㓘PV PɂtW#'59ݻ<^]Ҿsyx2iI(5^q*AB|$Hy0ΓJw鳁VKu^c'`|xRr'Tz@”+G<=tӨaEbӝcai;F\x v;2x;zZ1 ?ݮpnejt]bwP{_xŞYiIU9/r\-"nZZླྀ|W90.=y$/Av} lD>?Ggo[D:*pG#LuOxc Z~‡i4&K-h<79wB#EVާA#42UCnuk-Ǭ§ ,'i_Wc+ޙU=9d_'`65hfV،̳$tYS Lt/rg԰W,}޿6 ɵpv9b&bOxID>3ԧˁms.ǍS}Ά6V@uRtXGR,o;a֬s< ѥ,]qx*p ;_iO@laC`YObJM66sE."m<_ؑihzۯ4NU>j SF<dLz=4e E#OR¤VPgph@jnD^Ύl4,qP ~Y%̏b0$Ģ1#ui@8NBc;?Tq ]]l1Â|>H=wjB%fexdu:}S^>vc"Ql3 ގmE٤PjigeYP1l~mdBĖfuK[ ] j-NT*T{= 57o9]S'U(K#„hH9g{i+ޅEݓY:Gk3_ߨnS)& `k$zk$~B.E ϻM䒯6pV._`Ut~ KYR4IS&OeRdlZ+Gc~I,7,eIa8"|TmDCIU$Mۖ /NCH;%3pSw2FwYd E%A~[tĄ8y2O}sGSVޖ"ؗvxwgөI潆$E("@%94 c;TakXz:I/h/B)R,x֛S!ҥRXڳuX H'Ya6 1tq¡2& KD&zZdIێήIJe[+ ` aƯ78- !ś(!Ԃ8HCVWK )dTy2trx,;H-Ll |{= Y;$=M= 3a\;d.5.KqJ" ~^~^~^~^~}e ^坘U5r:w|=Xʗ؋tbvA PL/}C8b#|p(Lz1ڟU–$ .Ųv{r=M+|X4a =#XH¤,A( Xxcd'[s';65GQX$"º%bQ}9[7 z+š0Xmꌖ\!}_u[ q L$"lX `B2&n$寁^ e%KYDK1^MnHhjD6iv6V`;WEᢦ~/fK*vG:wlfrV[)AĀ^‹Q XmXs#8HA̠õwN i*+(Bp_CCEcȿȿȿȿ_E)i߶\DȽ Kuag*k4t?_#GXF3rzqà*S{7Z.]?f{}m0ݩMfe[]2)&l^M@"*UiD!ЯINc뻆 Ř,@u(zs2c`UD:C'7Tk'>[)QyNM!-~7[1^Y_kY׻Q.*5jWC;D\1(tnqeUn5˓0US z~t*QϔOU$%FQ_x84)6!vݧ맫J= O3']FDm^߲ZN$XnRzJxKܳ{RVJ]mW~Ն 2=um)_}K\B7{~/߃s8̜CDBL6A(ɩ5=6[7oHHvjmm%kk3"A-[o&6௶eulauz)^/?xl%^E[6,щ{O*eYX -}-$&Dz4{A@m @ȼ#MԬE5:&VJE:`җM+ℱfneO%3fEI4P D~Г 5>b4޵7 4z_ڋK۪_xģũe^,m/'IO+SXL,3g(,9d3sDxq~vGz6;Ib3`gvxh2݀we*k+Hm9T7F_@gjF@3* I7~^cij H/׺a} ̰.$o,S;eD)4E;LotwIb䭼Ud??~܋n!?"  I?Xt'η; 2~(ަBx8j ] {w{[MҸ$]"% RkyKN ߥtc T n TJ9t[`ɣS#DSt%pU) & 0Z`3oh1|ccs|[YM13bcC~ml+=umc;bׅmj+LxY8OH_q=o7ݙA47:V }s;w'7ƘuC[TvXj? 1O6t$.slkAЭq0e_J O&')3ʭGmt ]㑍XU!7TQᩰ71JZ2xi)Z4Ljxb*1bVeզɝ$7xg`ٿ[!VU'ruZ>_E_dqmm`/ '=& )<]С r@JoIg/8|<|6ڈyki$YcMr//\IxC#kgw rF@Yj$G P56w:n[Hjv/Z^릋V <;Cym!y;& 8EHAxG'L$EuE) 2T,AjUֽ?g.7,M}S4-l  \ZS4awFu檫*1Du*?83*%_&cP <"mG{o]j&[0'lx D0F$pH1fHGiĄ1+r+D;N1rO T-uC@a=Q#3(+9;2j (U,%bvqY@y+DL݂`Aa~N­!P)awSIJW0,2E<epX<>12ɀxdbf,ywJ7`C'[jE9Y|ob{` ? 0غ9P\{cݹ1]A 9ܐ9iHI}kwIs'} '\MGݩ;'U},41F;6/M&ƋBrde(Aή-f(NDĜ\ «X]drxixɎ(bzh,.6qNO|ݻ؀)Qe;̋ QW~4ALX7͛Vec+{_6xu3_)9u ginFh9j0c-WI r!>E.Z=ҹjIJ/6./2?Bnj_׌(Y_~JmdwQ[_4[P~ s ?/?ofnfCCL*nQʿ/A/31K{Ke~.a̠K Dg(Q~d_BeF9U^\eUuw@t2OK'C\}\g5 Mta݌wa݌zk}'O?g>g3sn66~oیon3/$)CAy#׸pz~;"9(/'R*zUKC(ϐge3VNa{r!Wgˀn_ kL+ťW*7YKxM}%kk[Z1nvd b}a/ KPe^ٛT#GPipKxEó##htoĶ.p&}:=WWvl+Jy.)ܢ}:QOXE)9 8qi@B1 FUys"\5½p'eybnAZ̤-c@#}~L(7]wqSݮ'obx?5O+~&7S2.pqk;ُϋGkwՕq@Af_b 5y?'OxVf<oє^\CNG*˗ X֭2{ k`V{eq-#2O,5U,%O|\o_.c˃~@=I_\=u{Ȫ\D}GQ!rE:Rhzw\CuﰟcOaIl@ꃧrSY`_GBb +M  L8BZ}M˯9ao5RFXk;NLt:v>kuo2Lw5g'>BыpOaHzBXϑx`evFoe^5m$$&b3@ gQlVxRBszn%0)% KBlPՍFwUcTxoꈓ_| 3.u,sD+ϒeքzLT zZOe/n,/Io=G}k_VeńK!l;F>HYUҎ_;@B&!#R.ܐOF{)0XPyw4w<p2In9ivas"WEPޙx7'c.-s0ŬBdGxN<}q?٢ uK ğopm.;+CO1ΪTU|>cx w} 2ϏDWݞ얏 Xo} 8lO.hzl}̀ XsQ%ɷ` <ݛ-Hˍ_$%\#dhlg`wDl .3*/]F hWa!*e76K((Xp^'Atm9;>BAr"#<[^ҵlAtzm랮EOfuݍ¦my8" 7]Kl C>`]R>D1e~}=3Ӳg(q",@PpP+Kei$VitnpS`hup#b }u+y!.0: .X=l׉P#nȥ+`jk7D]YtA&燸[0tczN﮳zg[8K cd. , $8jVI{{a0&iE-㨤t`C v_ʉ~ph;?҈Y>A wVǰYF!Ƨۅ7'TS*4.v>Ͻn̯]2xDh^N"X=<,KVw6k+[Ѐ7H>Y{PE"1ԝb:(G=zk|XKzLM萇kÔ{y0ѕDM1F(&,1S,@< փ LW{څGQy6;|,݀bV"Nd׊GnrmmS{J>dS17@j0\|OH d[\K^مt&3k9/YH~>  r*r*]xWI"cXM?#:T+K+ Sq|}h-]z,sՓ/G<|;Xyx8~']f(FRqO\|j8(>\tnb3u㎗4N?~|jJaEyiNђu:7VH]7ՇdEg?0]\}!l6Gn_!ﭩeTUA$7yM1ec*P)V []jq۩ QBlS2u̹D/4^JB\qrH'r0>d֌VMӝo3a-dcˤ_ F*