Are Passwords Becoming Passé?

Author and astronomer Clifford Stoll once said, “Treat your password like your toothbrush. Don't let anybody else use it, and get a new one every six months.” While this may be sound advice, it brings to mind the question as to whether or not passwords are a sufficient security measure at all for today’s computing environment. A December, 2005 Gartner Inc. report predicted: "By 2007, 80 percent of organizations will reach the password breaking point and will need to strengthen user authentication with alternative security methods." Authentication issues aside, just look at any call center and you’ll note that a good percentage of all calls and e-mails they receive are from customers who have simply forgotten their password and/or username.

From an administrative standpoint, the management of passwords is bothersome to administrators as well as to end users. This is especially true when there are multiple passwords and when those passwords must be changed regularly. Users are bearing the burden of dealing with passwords that expire at different times and that are subject to stringent rules about what constitutes an acceptable password value. Jotting down passwords (on a notepad, sticky note or inside the desk drawer) is tantamount to leaving the key in the front door; it just makes unauthorized entry easier. If that is not bad enough, security managers are sometimes unaware that a password has been stolen until it is too late. They can be stolen through keystroke loggers, screen scrapers and via phishing sites, but whether through outright theft or lax user password practices passwords are weak control mechanisms and organizations are now exploring other, more efficient security alternatives.

With passwords gradually falling out of favor, the biometric industry has ably stepped up to the plate to fill the widening void. Where cost was once a disincentive for adopting biometrics as an authentication tool, organizations now must face the challenge of overcoming user mistrust of biometrics. Some users contend that biometric authentication tools infringe on their privacy rights by enabling their employer, the government, and in some cases criminals to gather their individual personal data (including age, sex, genetic makeup and racial characteristics) to create/maintain a profile.

Users often won't trust what they don't understand and as a consequence the biometric industry may need a good marketing/education program to elucidate the pros of biometrics and alleviate user apprehension. At some point we’ve probably all heard someone say (not necessarily in jest) they feared the use of fingerprint scanners because they’d heard of people having a finger cut off so a criminal could use it to get past a scanner security system. While that scenario is highly unlikely (especially at an office full of people), it’s nevertheless one of the problematic issues the industry will need to iron out. More likely is the possibility of a scanner not being able to distinguish between a photo or a mold of a finger from the actual legitimate finger itself. 

When it comes to authentication, it is ultimately a defense-in-depth approach that works best. Fingerprint verification is a cost-effective, accurate and user-friendly method for most PC authentication needs. And, unlike passwords and a PIN, one’s biometric trait(s) aren’t as easily lost or stolen as a single factor password can be. With biometric security device prices steadily decreasing, administrators may want to relieve the encumbrance of using passwords and instead use biometric or smart card authentication. You can save time and money and your end users may even thank you.