Are Passwords Passé?

Secure cards and tokens could usher in a sea change in authentication.

SAN JOSE, Calif.—When Bill Gates stood before an audience of IT security experts at the RSA Conference Feb. 14 and declared that "passwords dont cut it," many in the audience took it as evidence of another sea change in the technology market and a sign that strong authentication has finally arrived.

Major announcements from Microsoft, VeriSign, RSA Security and a host of smaller vendors at the conference gave weight to the words of Microsofts chairman and chief software architect, as well as a sense of excitement to the staid market for secure cards and tokens. Microsofts entry into the secure authentication market could spur adoption of the technology.

All of this means more and better choices for enterprise IT managers looking beyond relying on only user names passwords.

However, users could soon end up holding onto a fistful of strong authentication tokens as companies scramble to introduce the technology for their customers.

The shift in thinking about strong authentication is evident even among early adopters of the technology, such as ETrade. The online brokerage was one of the few to offer RSA SecurID tokens to all its customers. ETrade used the SecurID technology internally before extending it to customers but is now looking to offer its customers alternatives to the tokens, said Rob Shenk, vice president of retail banking at ETrade.

"These are [users] who have a habit of leaving their car keys in interesting places," Shenk said.

ETrade is now looking at "everything and anything" that might be an alternative to a dedicated secure token, including soft tokens that can generate one-time passwords on cell phones and other devices, he said.

/zimages/5/28571.gifAnti-fraud services appear to be the next battlefront for IT security. Click here to read more.

Microsofts new InfoCard technology, which Gates unveiled at RSA here, should make alternatives to SecurID easier to deploy. The new Microsoft CLM (Certificate Lifecycle Manager), now in beta, simplifies digital-certificate issuance and smart-card provisioning using technology built into Windows and Active Directory. Microsoft built support for the technology into Internet Explorer 7, the next version of the companys Web browser. Microsoft is also updating Active Directory and programming tools to make it easier to tie in strong user authentication to new applications.

"What Microsoft will do is accelerate the implementation curve for secure authentication," said John Oltsik, an analyst at Enterprise Strategy Group.

InfoCard won early backing from VeriSign Feb. 15 when CEO Stratton Sclavos used his RSA keynote address to announce that the VIP (VeriSign Identity Protection) secure sign-on technology will work with InfoCard in IE 7.

VIP is a shared authentication infrastructure that has the backing of eBay and its PayPal payment service, as well as Yahoo. It allows consumers to use a single security device, such as a USB token, to authenticate themselves across VIP-enabled Web sites. The service was widely seen as an alternative to the InfoCard network. But Sclavos demonstrated how InfoCard users with IE 7 could use that technology to securely sign on to a VIP network.

However, other major authentication vendors were absent from Microsofts push on InfoCard. Chief among them was RSA, which announced a deal with Microsoft two years ago to build support for the companys SecurID token into Windows. That integration has been plagued by implementation woes and lower-than-expected adoption, and it was a card from smart-card maker Axalto, not RSAs SecurID, that Gates held onstage to demonstrate InfoCard.

RSA plans to work with Microsoft to integrate SecurID with InfoCard, according to Bill McQuaide, senior vice president of RSAs Enterprise Solutions Group. However, the Bedford, Mass., company is pursuing its own partnerships to expand the reach of SecurID.

Feb. 14, RSA officials said the company is expanding its RSA SecurID Ready partner program that would increase the number of devices with embedded SecurID authenticators. RSA would extend relationships with Microsoft and Research In Motion and striking a deal with Diversinet to provision SecurID credentials through wireless and desktop synchronizations, officials said.

RSA also introduced a browser tool bar based on the SecurID technology that can generate one-time passwords, as well as the SID900, a transaction-signing token that can be used to sign high-value transactions and generate one-time passwords for user authentication.

/zimages/5/28571.gifFor advice on how to secure your network and applications, as well as the latest security news, visit Ziff Davis Internets Security IT Hub.

RSA plans more announcements in the coming months regarding InfoCard and the companys efforts to get SecurID onto more and more systems. One of those deals may be with Axalto, the smart-card maker whose Cryptoflex .Net smart card showed up in Gates keynote, according to Art Coviello, RSAs CEO.

Marvin Tansley, Axaltos vice president of product management, declined to comment on that deal but acknowledged that the advent of unified authentication platforms such as InfoCard and VIP will shake up the authentication market.

"Unified authentication platforms will make [multifactor authentication] as prolific as making a phone call," Tansley said. "If you come up with a platform for unified authentication based on open standards, like OATH, you also cure all the problems that have made it hard to convince people to provide strong authentication."

Diversinet CEO Nagy Moustafa agreed. "Its not about the technology; its about the flexibility. Users dont care whether theyre using SecurID or OATH," Moustafa said.

/zimages/5/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.