bCentral Home
Your Online Business Center

Are passwords past it?

Highly secure ways to prove your identity

By Matthew Stibbe

I've been interested in identity and authentication for the last couple of weeks because I am researching an article about Internet2 for an American magazine. It reminded me of a story I heard once.

In the Second World War, London was home to the exiled monarchs of many occupied countries. Once, King Haakon VII of Norway had to go to the BBC to make a broadcast to his people. He arrived at Bush House and went up to the commissionaire's desk in the lobby to announce himself. The phlegmatic doorman picked up the phone and dialled the studio. "It's Bert here. Yeah. I've got the King of ... err. [to Haakon] 'Ere, which country did you say you was king of?"

Internet2 is a consortium of universities and businesses who are working on the next generation of internet technology. Some of the things we can look forward to include real-time high-definition video conferencing, surround sound audio transmission and downloads a thousand times faster than today.

But what excites me, being a security geek, is something called Shibboleth. It's a project designed to improve the way authentication is handled. This means the way that users prove their identity to computers. Typically today people use a user name and password.

Log on just once

Quote�It could put an end to spam and improve privacy.�End Quote

On Internet2, you may only need to log on once and let some trusted organisation, like your employer or university, vouch for you to other organisations without revealing your private information.

In the meantime, we're stuck with existing technology. There are different ways to prove your identity: something you have (such as a smart card), something you know (like a password) or something you are (like a fingerprint). I suppose if you're a king, you have a crown or sceptre to prove the point.

Unfortunately, passwords are by far the most common way to authenticate people. They come with a number of well-known problems:

Memorable ones are easy to guess but strong passwords are hard to remember

Users don't change them frequently enough and often pick weak passwords

Users do daft things like share passwords, write them down next to their PC or give them to strangers on the flimsiest pretence

They're inconvenient. You need lots of different passwords for different services. If you forget which one you used, it's a lot of trouble to get a password reset.

The alternatives

Luckily, for business users, there are some alternatives. These include:

Smart cards. These are credit-card sized cards containing a small chip that can be used to store information. It's the same technology that you see in the new Chip-and-PIN credit cards and on the London Underground's Oyster card. Increasingly, you can buy economically-priced plug-in smart card readers. Some computers even come with them built in.

Biometrics. Iris and fingerprint scanners are amongst the most common forms of biometric authentication. Fingerprint readers, such as the ones in some Microsoft keyboards, are becoming more widespread and easier to use.

'Crypto keys', such as the RSA SecurID for Microsoft Windows use mathematical codes and a PIN number to create hard-to-break one-time passwords. My hunch is that banks will increasingly use these little devices for online banking. In fact, they're already used in some other countries, and Lloyds TSB has started trialling them here in the UK.

None of these technologies is perfect but they have definite advantages over a password and they become more effective when used in combination.

It may take a decade or more for Internet2 to move from academia to the high street. In the meantime, businesses that want to control access to their data and systems need to consider stronger forms of authentication than easily-broken passwords.

What next?

You can be particularly at risk when you use a public computer. Here are some simple precautions you can take.

How's your overall approach to security? Find out if you could be doing more with our interactive security check.

Matthew Stibbe writes a new column every fortnight. Sign up to receive them automatically by email.


Sign into Microsoft Small Business+ for free web-based training and software support.

sign in
Security information

Find a local Microsoft Small Business Specialist to help with your IT needs

Microsoft Small Business SpecialistMore info >

What do you want your PC to help you with?

What do you want your PC to help you with?







Free business newsletters - subscribe now

Our free newsletters are packed full of business advice and ideas - plus all the latest news

Security information

Get the latest bulletins and updates direct from Microsoft