In the last issue we were talking about username/password technology for modern networks and how to "manage" them. My suggestion was to manage to boot the technology out the door.

The problem is that users can only remember fairly simple passwords. Anything that even resembles a strong password is almost always a candidate to be written on a sticky note and attached to the computer or monitor. So – if you must use passwords – why not give users passwords they don’t have to remember? Why not go to One Time Passwords (OTP)?

When I talk to users about OTP they almost always first think of devices like RSA's SecureID key fob. It’s been around for a long time, so it could be considered the “traditional” OTP device. Nowadays, though, it's time to move on. Let me tell you about two other ways to do OTP.

Intriguingly, I met with the folks from Nordic Edge during the RSA conference a couple of weeks ago. They wanted to show off their OTP solution using cell phones. The idea is that someone logs in with a username/password combination, then the OTP server sends an SMDS message to their cell phone. Only by entering the PIN received in the SMS does the user gain access. Others have done this sort of out-of-band OTP before, but the guys at Nordic Edge have added a new twist. Some of their larger clients (many in government, education and healthcare) said that SMS was nice, but pricey. So Nordic Edge came up with a cell phone application (currently available on the iPhone, soon on Android and a bit later on any Java-enabled phone) that essentially works the same as the SecureID – press a button and it generates an OTP. The application itself is password protected for added security. And most enterprise users (heck, most computer users) already have the necessary hardware. Check it out.

The second OTP solution comes from my friends at Validus Technology.

<disclaimer> I do serve on the advisory board for Validus.</disclaimer>

While trying to build a better credit card, Validus discovered a “better” OTP device. This is a credit card sized card with a built-in fingerprint reader. Just swipe your finger to generate an OTP. In the future this could be fitted with an RFID-style proximity device to converge physical and logical access using a biometric control and one-time passwords. The proximity device could be either “always on” or activated by the fingerprint swipe for even higher security. Something else you need to check out.

Dave Kearns is a consultant and editor of IdM, the Journal of Identity Management.