Are Passwords Now Passé?

Smart cards, tokens could change security landscape.

When Bill Gates stood before an audience of IT security experts at the RSA Conference Feb. 14 and declared that "passwords dont cut it," many in the audience took it as evidence of another sea change in the technology market and a sign that strong authentication has finally arrived.

Major announcements from Microsoft, VeriSign, RSA Security and a host of smaller vendors at the conference gave weight to the words of Microsofts chairman and chief software architect, as well as a sense of excitement to the staid market for secure cards and tokens. Microsofts entry into the secure authentication market could spur adoption of the technology.

All this means more and better choices for enterprise IT managers looking for ways to move beyond only user names and passwords. However, users could soon end up holding onto a fistful of strong authentication tokens as companies scramble to introduce the technology for their customers.

The shift in thinking about strong authentication is evident even among early adopters of the technology, such as ETrade. The online brokerage was one of the few to offer RSA SecurID tokens to all its customers. ETrade used the SecurID technology internally before extending it to customers but is now looking to offer its customers alternatives to the tokens, said Rob Shenk, vice president of retail banking at ETrade.

"These are [users] who have a habit of leaving their car keys in interesting places," Shenk said. ETrade is now looking at "everything and anything" that might be an alternative to a dedicated secure token, including soft tokens that can generate one-time passwords on devices, he said.

Microsofts new InfoCard technology, which Gates unveiled here at the RSA Conference, should make alternatives to SecurID easier to deploy. The new Microsoft CLM (Certificate Lifecycle Manager), now in beta, simplifies digital-certificate issuance and smart-card provisioning using technology built into Windows and Active Directory. Microsoft built support for the technology into Internet Explorer 7, the next version of the companys Web browser. Microsoft is also updating Active Directory and programming tools to make it easier to add strong authentication to new applications.

"What Microsoft will do is accelerate the implementation curve for secure authentication," said John Oltsik, an analyst at Enterprise Strategy Group, in Milford, Mass.

InfoCard won early backing from VeriSign Feb. 15 when CEO Stratton Sclavos used his RSA Conference keynote address to announce that the VIP (VeriSign Identity Protection) secure sign-on technology will work with InfoCard in IE 7. VIP is a shared authentication infrastructure that has the backing of eBay and its PayPal payment service, as well as Yahoo. It allows consumers to use a single security device, such as a USB token, to authenticate themselves across VIP-enabled Web sites. The service was widely seen as an alternative to the InfoCard network. But Sclavos demonstrated how InfoCard users with IE 7 could use that technology to securely sign on to a VIP network.

Other major authentication vendors were absent from Microsofts push on InfoCard. Chief among them was RSA, which announced a deal with Microsoft two years ago to build support for the companys SecurID token into Windows. That integration has been plagued by implementation woes and lower-than-expected adoption, and it was a card from smart-card maker Axalto, not RSAs SecurID, that Gates held onstage to demonstrate InfoCard.

For more on the RSA Conference visit