Mar 02 2012

Passwords Aren’t Sufficient, but What’s the Best Alternative?

Gartner analyst thinks the waters around an improved authentication method will remain muddied for a while.

As information security goes, far too many people’s passwords are the equivalent of using a piece of tape to secure an unlocked door. As the worst passwords of 2011 showed us, when tasked with managing their own data protection, the average user opts for convenience over security. That means they choose passwords that they’ve used before, or ones with predictable sequences, such as 123.

But password security flaws are nothing new; and there are already alternative authentication methods, such as tokens and smartcards, in use in the enterprise.

The urgency behind getting authentication and identity recognition right received a shot in the arm when NIST announced it would fund up to $100 million in research projects, which the agency is calling “identity solutions,” that come up with better alternatives to the password, reports The Washington Post.

However, Gartner analyst Ant Allan writes in a post on the Gartner blog that authentication will remain murky territory despite the NIST initiative:

I’m not sure if this doesn’t muddy the waters. My feeling is that the pilots for authentication methods and interoperability frameworks should be discrete, resulting in services that organizations can plug together according to their needs. If single proposals do address both aspects, I’d hope that the parts could be easily decoupled.

If the NIST initiative stimulates the development of the ideal authentication (or recognition!) technology it will not be as useful if it’s inseparable from a novel interoperability framework — that will be a barrier to adoption by organizations that have already invested in SAML [Security Assertion Markup Language] federation, for example (unless vendors can be unusually prompt in adopting the new technology!). I’d expect to see the first real-world implementations being messy hybrids … and those might be rather persistent.

For more on the future of password alternatives, read Ant’s post on the Gartner blog.