I came across an interesting New York Times story by Randall Stross over the weekend that discusses how we should be replacing passwords with information cards and how so-called single sign-on (SSO) services (e.g., OpenID and I’m sure any commercial product SSO efforts as well) just don’t add the security we need. Here are the relevant snippets from the article:”The solution urged by the experts is to abandon passwords – and to move to a fundamentally different model, one in which humans play little or no part in logging on. Instead, machines have a cryptographically encoded conversation to establish both parties’ authenticity, using digital keys that we, as users, have no need to see. In short, we need a log-on system that relies on cryptography, not mnemonics. As users, we would replace passwords with so-called information cards, icons on our screen that we select with a click to log on to a Web site. The click starts a handshake between machines that relies on hard-to-crack cryptographic code.”
“We won’t make much progress on information cards in the near future, however, because of wasted energy and attention devoted to a large distraction, the OpenID initiative. OpenID promotes “Single Sign-On”: with it, logging on to one OpenID Web site with one password will grant entrance during that session to all Web sites that accept OpenID credentials. OpenID offers, at best, a little convenience, and ignores the security vulnerability inherent in the process of typing a password into someone else’s Web site.”
Strangely enough, Microsoft seems to be involved in this new information card technology. It sounds a lot like Microsoft’s well-known CardSpace technology. As a matter of fact, Microsoft is part of a new Information Card Foundation (ICF) along with other heavyweights such as Equifax, Google, Novell, Oracle and PayPal. But then Microsoft is also a supporter of OpenID. How ironic…
The only issue I see with the way these information cards are them being desktop icons that you click to login as described in the New York Times story. When I’m logging into Windows at the beginning of the day, what do I do then? I won’t have access to these information card icons yet. Passwords anyone? Plus this doesn’t alleviate the problem of computers being infected with malware. If I can click it, a Trojan or virus can too. I agree with all the points about OpenID and other SSO efforts… but they’re such so darn convenient! There are a lot of questions that need to be addressed here and I’m sure we’ll all be learning a lot more about this technology as it evolves.
What do you think about this new authentication technology? Does your organization have plans to replace passwords with information cards? Here’s a link to the New York Times article.