Are passwords past it?
Highly secure ways to prove your identity
I've been interested in identity and authentication for the last couple of weeks because I am researching an article about Internet2 for an American magazine. It reminded me of a story I heard once.
In the Second World War, London was home to the exiled monarchs of many occupied countries. Once, King Haakon VII of Norway had to go to the BBC to make a broadcast to his people. He arrived at Bush House and went up to the commissionaire's desk in the lobby to announce himself. The phlegmatic doorman picked up the phone and dialled the studio. "It's Bert here. Yeah. I've got the King of ... err. [to Haakon] 'Ere, which country did you say you was king of?"
Internet2 is a consortium of universities and businesses who are working on the next generation of internet technology. Some of the things we can look forward to include real-time high-definition video conferencing, surround sound audio transmission and downloads a thousand times faster than today.
But what excites me, being a security geek, is something called Shibboleth. It's a project designed to improve the way authentication is handled. This means the way that users prove their identity to computers. Typically today people use a user name and password.
Log on just once
�It could put an end to spam and improve privacy.�
On Internet2, you may only need to log on once and let some trusted organisation, like your employer or university, vouch for you to other organisations without revealing your private information.
In the meantime, we're stuck with existing technology. There are different ways to prove your identity: something you have (such as a smart card), something you know (like a password) or something you are (like a fingerprint). I suppose if you're a king, you have a crown or sceptre to prove the point.
Unfortunately, passwords are by far the most common way to authenticate people. They come with a number of well-known problems:
Luckily, for business users, there are some alternatives. These include:
None of these technologies is perfect but they have definite advantages over a password and they become more effective when used in combination.
It may take a decade or more for Internet2 to move from academia to the high street. In the meantime, businesses that want to control access to their data and systems need to consider stronger forms of authentication than easily-broken passwords.