Late last year, online computer security hit something of a milestone. According to the Privacy Rights Clearinghouse, the total number of data breach victims topped one million. Privacy Rights Clearinghouse has been tracking data breaches since February 2005, when ChoicePoint disclosed that thieves had stolen information on 163,000 victims from the company's database.
A large number of these data breaches involved computer passwords. Passwords have been around for a long time. Widely recognized as the weakest link in IT security, it’s clear they are well past their sell-by date. However, in spite of urgent efforts by government agencies, corporate enterprises and financial institutions, practical alternatives have not been forthcoming. Virtually 100% of our network access today relies on a password or PIN as the primary means of user authentication.
Since absolute security is not possible, the aim is to reduce risk and fraud to more acceptable levels. Pressure to do so is coming from both users and regulators. For instance, in 2005 the Federal Financial Institutions Examination Council (FFIEC) issued Guidance to financial institutions. The Guidance deemed password-only authentication “inadequate… for high-risk transactions involving access to customer information or the movement of funds to other parties.” The FFIEC Guidance recommended that financial institutions with online consumer operations implement stronger authentication by the end of 2006. It’s still too early to tell what steps financial institutions have in fact taken. But there’s no doubt the FFIEC’s Guidance has been a powerful motivator for a leading industry to rethink online authentication.
While financial institutions and other private and public entities have begun to move towards stronger authentication, too often these solutions do not adequately take account of the impact on users. Some enterprises are distributing electronic tokens or code-cards to customers, some are using cryptographic cookies to identify the users’ computers, and others are adding an additional “knowledge factor” (such as a PIN or private personal information).
Tokens, smart cards and code-cards require users to carry around yet another valuable item that can be lost or stolen. And since most users deal with multiple online businesses and institutions, they will likely end up having to deal with multiple devices and cards. Multiple devices are inconvenient for users and can be expensive for the organizations that issue them. More important, these methodologies verify the item, not the user. They still rely on a password or PIN as the only means of authenticating the actual person attempting to access data, money and other goods.