Sun to boost Java ID plan for PCs

Sun's executive vice president for software, Jonathan Schwartz, plans to demonstrate the new authentication technology Wednesday at the RSA Security conference in San Francisco. Sun's PC operating system, the Java Desktop System, will have the technology by the end of June and will require its users to employ it, Schwartz said.

		Get Up to Speed on... Enterprise security Get the latest headlines and company-specific news in our expanded GUTS section.

By creating multiple methods for authenticating users, those with online services will know with certainty who's using them, and problems such as spam and viruses that use anonymous e-mail will be reduced, Schwartz said.

As expected in Sun's PC authentication vision, people will authenticate by combining a password with a physical token that has their identity, such as a cell phone, a credit card or a corporate identification tag, Schwartz said. Sun is working with mobile phone companies and financial services to make the technology more widely available, and government customers such as the U.S. Defense Department already are employing such technology.

"The expense of anonymity has been borne by those who have been authenticated, and it's time we reverse that," Schwartz said. With multifactor authentication, PCs can become more like automated teller machines and GSM mobile phones, which both require simultaneous use of a card and a password for authentication.

"It's evident that the defensive approach that Microsoft offers is not effective," Schwartz said, pointing to viruses such as MyDoom and Sobig. "It's time for the industry to go on the offensive in the same way the mobile operators and financial institutions did at the inception of their network rollout, by strongly authenticating network citizens."

Java is at the center of Sun's plan--in particular, the JavaCard software that handles authentication for the tiny subscriber identity module (SIM) cards in GSM cell phones and that ship with credit cards such as American Express Blue. JavaCard also is used in the Defense Department's ID tags.

Java is software that lets the same program run on a variety of different computing systems--for example, a PC running Mac OS X, Linux or Windows--thereby making the choice of operating system less important. Different versions of Java run on computing devices ranging from massive multiprocessor servers to tiny SIM cards in many cell phones.

Sun has been successful in spreading its Java technology to servers and mobile phones, but has had a harder time with desktop computers, where Microsoft's technology is dominant. That changed in 2003, when the Santa Clara, Calif.-based company won deals with Dell, Hewlett-Packard and other top PC makers to install Java on computers in the factory.

In Schwartz's view, multifactor authentication could work in two basic ways.

In one, a person would insert either a Java-enabled credit card or a SIM card into a reader on a PC, then sign in with a password.

The other is more complicated, but closer to reality. A user would sign onto a site using his or her mobile phone number. The site's computers would then link with the mobile phone carrier's network to send the user's cell phone a message asking for the user's password. The user would type the password in on phone and then be authenticated on the computer.

Sun is "in talks with a number of (mobile phone service) operators worldwide about bridging the gap between mobile phones and computers," Schwartz said. They're likely to offer the services sooner than financial services companies, he said.

The technology is almost done, he added. "By June, you will have robust JavaCard support in the Java Desktop, which is to me the linchpin of all this," he said.

Java 2 Standard Edition (J2SE), the version of Java for PCs, must be modified to support the technology, Schwartz said.