Password juggling no more?
It's high time for a better way to protect my identity online, CNET News.com's Mike Ricciuti says. I'm sick of yellow stickies.
By that I mean that I have far too many Net IDs and passwords. There's really no hope of me ever remembering them all, so I've become a case study in bad security habits. I write them down. I pick easily guessed passwords and invent ever more creative ways of spelling my dog's name. I e-mail passwords to myself. And I reuse them--over and over and over.
The world is awash in Wi-Fi zones. High-speed cable and DSL are rampant. Intel CEO Craig Barrett tells me that ubiquitous wireless access--WiMax--is just around the corner. Still, I have passwords and usernames scrawled on yellow stickies plastered to my monitor. There's something wrong with this picture.
I thought that by now, things like Microsoft's Passport would have delivered us to the promised land of federated single sign-on, where we have only one password-username combo to remember, and everyone knows our name.
But Passport is in shambles. One of Microsoft's most prominent Passport partners, eBay, said just after the holiday shopping season that it would stop accepting Passport log-ins from its customers. Online job site Monster.com dropped support for Passport on Oct. 22. And a list of sites that had partnered with the software giant has vanished from the company's Web site.
Passport's demise comes even as Microsoft Chairman Bill Gates continues to tell us that passwords are evil and will soon become passe. OK, I buy that. Microsoft has kicked off a new internal system that uses smart cards to bolster security. But what about the rest of us?
Well, for businesses looking to secure internal systems and links to partners, the news is encouraging. Microsoft's one-time rival in the single sign-on technology race, the Liberty Alliance, continues to sign up software makers and big companies that pledge to build Web sites and products that support federated identification.
But the 150 Liberty members still need to build support for Liberty's specifications into products. That takes time.
Microsoft and RSA Security teamed to produce a security device called SecurID for Windows, which debuted last fall. The device generates a constantly changing sequence of numbers that a user has to type in alongside their normal password in order to log onto corporate networks.
The recent focus on regulatory compliance, thanks to things like Sarbanes-Oxley and the Patriot Act, have driven big companies to get serious about secure identity management. Technologies such as enterprise single sign-on are gaining steam to lock down intracompany communications. And central provisioning software helps take some of the manual labor and error out of granting access to corporate applications.
Since identity theft has become the fastest-growing type of crime in the United States, according to Forrester Research, it seems in the best interest of businesses--particularly online retailers--to protect consumers.
However, little has changed in the consumer area. Microsoft tells us to be patient and wait for Longhorn, which should make it easier to manage identity on desktop machines and Windows-based servers. An update coming later this year for Windows Server 2003 will include identity federation technology, but that is aimed mostly at securing business-to-business communications.
The big idea for the future of ID management is electronic smart cards that securely identify people online and allow them to have different personas, according to Microsoft's top security strategist, Scott Charney. But don't hold your breath: We're talking the future.
So where does that leave us? Juggling passwords and keeping the yellow-sticky people in business. There's got to be a better way.