Finding a replacement for passwords

Verification gadgets range from tokens to cell-phone-based systems, but cost keeps them from catching on. Photo: In an antiphishing huddle

As online scams get more sophisticated, passwords are becoming hopelessly outmoded--as passe as floppy disks.

Yet many businesses and nearly all consumers still rely on passwords as the primary means of verifying who they say they are.

At last week's RSA security conference, Microsoft Chairman Bill Gates sounded once again his well-worn call for an end to passwords, while on the show floor, companies touted gadgets to help verify identity.

Smart card
What: A plastic card, similar to a credit card, that contains a chip. The chip holds information and restricts access to only those with the proper personal identification number.

Pro: Can be used for access to both buildings and networks.

Con: Cards could be forgotten or stolen; readers and cards cost money.

USB token
What: A key fob with a USB attachment that carries security information using memory technology similar to that found in a smart card.

Pro: Low-cost, because modern computers all come with a USB port.

Con: Tokens could be forgotten or stolen; not all USB ports are easy to access; only good for computer and network access.

Password generator
What: A matchbox-size device that generates a sequence of numbers acting as a one-time password.

Pro: No connection to PC needed.

Con: Device could be forgotten or stolen; requires user to input the mathematically generated sequence; only good for computer and network access.

Biometric reader
What: Technology based on a human trait that can be used to identify a person, most often a fingerprint.

Pro: Biometrics cannot be forgotten or stolen; can be used for building and network access.

Con: Expensive to deploy; recognition problems can occur.

Source: CNET

There's plenty of technology that could augment or replace the password, from smart cards to password-generating tokens to cell phone-based systems. They have yet to catch on. One hurdle is that it can be inconvenient to have to keep a piece of hardware handy. But the real problem, analysts said, is that neither businesses nor consumers appear ready to pay for them.

"Every bank I talk to doesn't want to hand out tokens," Gartner analyst Avivah Litan said. "They're too expensive."

The cost of such a service is not insignificant. For instance, companies that have signed up for RSA Security's corporate hardware tokens pay on average $35 to $40 per employee as part of an annual service deal. However, a consumer service could cost a bank or other online service provider far less, if they hand out hundreds of thousands or millions of the gadgets.

Passwords are seen by many experts as a weak link in the security chain. A well-circulated research paper from 1979 noted that a significant share of passwords could be easily guessed in less than 5 minutes--and that was when punch cards were popular.

Web stores, online banks and other companies doing business on the Internet recommend that customers choose a password that is easy for them to remember but hard for someone else to guess. The reality is that the converse is usually true. Few of us can remember all of our passwords, and yet the bad guys, armed with sophisticated software, can crack most passwords in a matter of minutes.

RSA's SecurID token, which generates a one-time password (OTP) every few seconds, is only one of the hardware products on the market that aim to bolster security for consumers. Credit card-size smart cards slot into a reader and can be part of two-factor authentication. In this system, two ID elements--the smart card and a personal identification number, for example--are used to monitor access. A USB token works like a smart card, but plugs directly into a PC, instead of into a special reader. Another system sends one-time passwords via text message to a customer's registered cell phone.

The biggest factor pushing companies to pay for something better than passwords are the concerns around identity theft and phishing--Internet fraud in which people are fooled into giving their personal information, such as online banking passwords, to thieves. If something more than a password was needed to get access to financial records, it would be trickier for crooks to profit from such schemes.

"We want to add significantly more protection for our users and are looking at stronger authentication for passwords," said Adam Joffe, chief technology officer for Sony Online Entertainment, at an RSA Conference 2005 panel discussion.

Last week at the show, RSA Security announced plans for a hosted SecurID service where companies can add a layer of extra security for consumers. E*Trade Financial is among those that is trying out the

Featured Video