SAN FRANCISCO -- For years now, security professionals have wondered if, or when, passwords would become passÉ, replaced by a stronger form of authentication to protect enterprises from intruders. The answer, judging from speakers at Tuesday's RSA Conference: not anytime soon.
Passwords still dominate the online world, where users typically create their own simple code to access a network or online service. Thanks to education and policy enforcement tools, more people now create alphanumeric passwords, rather than easily deciphered words or birthdates. But with more Web services and companies requiring passwords, the growing complexity of self-management is leading more people to use the same password to access multiple sites or systems. And that means bigger risks if that password is compromised -- for the user whose digital identity is stolen and businesses fooled by the con.
Last year industry leaders began pushing two-factor authentication at the consumer level with the second form being a token, biometric, smart card or other device. This, experts believe, would especially help cut down on phishing schemes, in which users volunteer their username and access codes to a fake Web site set up by online criminals. Newer phishing involves bogus caller-ID names to trick people into giving up the goods via phone.
"We've spent so much guarding the perimeter that, as a result, our adversaries are now going through the front door," said RSA Security CEO Art Coviello during his keynote address. He believes future authentication will include knowledge-based responses, in which people must provide personal information based on prior use. For example, an online travel agency would ask users to provide names of some of the placed they've visited through the agency. "We need to get beyond the single technology or approach."
But creating a cultural shift among consumers may not be easy. Despite a shaken confidence in using Internet-based services, such as online banking, many consumers aren't willing to give up convenience for more complex security. "We've got to make security simpler to use if it's going to be effective," former national cybersecurity czar Amit Yoran said during a panel on passwords.
Lethargy and laziness were listed as reasons consumers have not embraced stronger authentication. Also, the liability for fraud from misuse of someone's credentials currently falls on the financial institutions. "Customers know financial institutions will save them and make them whole again," remarked Catherine Allen, CEO of the banking industry group BITS. She latter added, "There are many ways that authentication can help, but it'll never be the be all, end all."
During the Cryptographer's Panel, speakers were asked if this was the year businesses moved away from passwords. RSA co-founder and MIT computer science professor Ron Rivest responded: "Passwords will be with us forever."
Professor Adi Shamir, another RSA co-founder, agreed but questioned the number of applications, especially with low security risks, being password-protected. Passwords aren't dead, he said. "But I don't think we need to replace them with the next latest and greatest good thing."