Beyond Passwords

I've written, spoken, and taught about password management in the past. I continue to believe that password-centric authentication systems are limited in their ability to provide much assurance about a person's claim on an given digital identity. Any information system requiring more than a basic level of assurance must use stronger multi-factor authentication mechanisms that incorporate things like one-time passwords and biometrics. However, passwords will continue to be part of our lives until stronger authentication mechanisms become more pervasive; and this won't happen until these systems combine the qualities of integribility, supportability, and usability.

One way to prepare an environment for stronger forms of authentication is to reduce the number of systems responsible for authenticating users in a given administrative domain. This is typically accomplished through some type of single sign-on (SSO) solution. The use of SSO reduces the number of systems that need to be able to perform strong authentication, which in turn reduces (or at least focuses) the integration, support, and user experience issues.

Since I'm on the topic of passwords I would like to commend the work of some others on the subject.

From the CERIAS blog:

When I was developing authentication related policy and systems at a previous employer I came to appreciate the work of Richard E. Smith, Ph.D. on the subject of authentication and commend his book, Authentication to you, as well as The Center for Password Sanity, which resulted from his research for the book.

From his Web site:

When I was doing research for my book Authentication a few years back, I came to realize just how crazy password management has become. The rule comes down to this:

The password must be impossible to remember and never written down.

This is, of course, ridiculous. The ideal password has to be both memorable and hard to guess. Ideally, a password should be hard to crack, which means that it even takes a computer a really long time to guess it.

I wrote up some comments about this in a part of my web site called The Center for Password Sanity.