Give users passwords they don't have to remember

The foundation for security and enterprise management

In the last issue we were talking about username/password technology for modern networks and how to "manage" them. My suggestion was to manage to boot the technology out the door.

The problem is that users can only remember fairly simple passwords. Anything that even resembles a strong password is almost always a candidate to be written on a sticky note and attached to the computer or monitor. So – if you must use passwords – why not give users passwords they don’t have to remember? Why not go to One Time Passwords (OTP)?

When I talk to users about OTP they almost always first think of devices like RSA's SecureID key fob. It’s been around for a long time, so it could be considered the “traditional” OTP device. Nowadays, though, it's time to move on. Let me tell you about two other ways to do OTP.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

In the last issue we were talking about username/password technology for modern networks and how to "manage" them. My suggestion was to manage to boot the technology out the door.

The problem is that users can only remember fairly simple passwords. Anything that even resembles a strong password is almost always a candidate to be written on a sticky note and attached to the computer or monitor. So – if you must use passwords – why not give users passwords they don’t have to remember? Why not go to One Time Passwords (OTP)?

When I talk to users about OTP they almost always first think of devices like RSA's SecureID key fob. It’s been around for a long time, so it could be considered the “traditional” OTP device. Nowadays, though, it's time to move on. Let me tell you about two other ways to do OTP.

Intriguingly, I met with the folks from Nordic Edge during the RSA conference a couple of weeks ago. They wanted to show off their OTP solution using cell phones. The idea is that someone logs in with a username/password combination, then the OTP server sends an SMDS message to their cell phone. Only by entering the PIN received in the SMS does the user gain access. Others have done this sort of out-of-band OTP before, but the guys at Nordic Edge have added a new twist. Some of their larger clients (many in government, education and healthcare) said that SMS was nice, but pricey. So Nordic Edge came up with a cell phone application (currently available on the iPhone, soon on Android and a bit later on any Java-enabled phone) that essentially works the same as the SecureID – press a button and it generates an OTP. The application itself is password protected for added security. And most enterprise users (heck, most computer users) already have the necessary hardware. Check it out.

The second OTP solution comes from my friends at Validus Technology.

<disclaimer> I do serve on the advisory board for Validus.</disclaimer>

While trying to build a better credit card, Validus discovered a “better” OTP device. This is a credit card sized card with a built-in fingerprint reader. Just swipe your finger to generate an OTP. In the future this could be fitted with an RFID-style proximity device to converge physical and logical access using a biometric control and one-time passwords. The proximity device could be either “always on” or activated by the fingerprint swipe for even higher security. Something else you need to check out.

Even if neither of these solutions is right for you today, if you’re still using simple username/password (SUP) for authentication you need to move quickly to something stronger.

Read more about security in Network World's Security section.

Dave Kearns is a consultant and editor of IdM, the Journal of Identity Management.