Password imperfect

TalkBack 31 of 34:: Next »; « Previous

Thread View
Flat View

Weak but realistic: Thanks to Microsoft marketing staff to remind us than passwords are weak. Yes we know it since years! But are Biometrics, smartcard or two factors authentication the ultimate solutions? Not sure. They are complex and expensive to implement, often complex to use and not 100% safe.
About complexity, let?s review my access to my Swiss Internet Banking account, it use a two factors authentication with a smart card. It is very safe and VERY complex. To log in my account I have first, to input my contract number in the web site and then click ?ok?. The Web site will display a challenge code (8 alpha-numerics). I have now to insert my smart card in a special small device with a keyboard and a LCD display, both supplied by the bank, switch-on the device, input my PIN to unlock the smart card (three wrong PIN and my smart card must be replaced) press ?ok?, input the challenge code given previously in the device, press ?ok? again, the device will display the response (8 apha-numerics) then I have to input this response to the web site. If everything is ok I can now access to my account! Whooo! I have to input 26 characters in four different steps to access my account. This is Security! But is my Granny will be really able to use this without an extensive training and two or free smart cards to replace the ones she locked during the training? I guess that she will write down the Pin and Contract number on the Smartcard using a permanent pen and store everything together in first tray of her kitchen cabinet in a envelop named ?Bank account access?.
What the cost for the bank? The bank have to send the contract, device and smart card in at least two different registered mails, with a pro-forma form for the custom clearance if the Device is send outside Switzerland, and have to maintain a digital certificate for each customer and all the infrastructure. The helpdesk is also a nightmare because customers can forget the Contract number or lock, lost or destroy the smart card and calculate or simply forgot the instructions.
Is biometrics easyer? Maybe (without considering the privacy issues). But it is not adapted to for example, clean (a surgery room) or contaminated environment when employee or rescuers must wear protective cloths (and fire can append everywhere).

So passwords, even weak I agree, are still the simplest, flexible and cheapest way to secure something. In many countries, not as rich as Switzerland or US, Governments, Companies and individuals cannot afford the price of implementing Biometrics or other advanced authentication methods. We must first remind than Education about how to protect our password and identity is the primary way for a better security.; Posted by: gandreotti Posted on: 12/09/04 You are currently: a Guest | Members login | Terms of Use