Windows administrators have traditionally relied on passwords as a means of credential management to keep the wrong people from accessing networks and crucial data. But this is a defense whose days may be coming to a close.
Passwords are easily compromised by hackers and often forgotten by users. Threats are becoming more sophisticated as networks accommodate mobile devices, and regulatory compliance standards are pushing security measures beyond this first level of defense.
"Passwords are important, as is having a strong password policy," said Richard Opal, with Peters & Associates Inc. of Oak Brook Terrace, Ill., a technology business systems design company. "But if you're either working for a regulated company or touching a regulated company, passwords just aren't enough."
Two examples of highly regulated industries are finance and healthcare, which dictate standards on securing data and access, said Opal.
Password protection is also not a sufficient security measure for lost or stolen mobile devices. Such devices often contain a lot of corporate data and are only protected with a password that Opal said he has seen users write down on a sticky note in their workbags.
"The truth of it is that if you have a server room and there are controls, such as keycard access or pins, mobile devices are the new edge of the network and you have to have the same level of accountability there," he said.
Add to this the mundane task of resetting passwords -- one-third of all help desk calls are for password resets, and it becomes obvious why IT shops are eager to seek out password protection alternatives.
Meeting federal regulations with multi-factor validation
Carol Minges, director of technical services at Forum Credit Union in Indianapolis, Ind., said her company installed multi-factor authentication in September to comply with regulations required by the Federal Financial Institutions Examination Council.
"We didn't have a choice," she said. "We were looking for something as non-intrusive as possible." The credit union chose BioPassword Inc.'s biometric single sign-on technology to record a user's keystroke time and rhythm. By doing so, the software can identify a user's unique rhythm before granting that user access to an account.
Forum's employees and its 50,000 banking customers now use the biometric software program. When employees log in, they only have to sign in once and BioPassword authenticates them and authorizes which data they can access. Bank customers log into their online banking accounts from wherever they are, and the software authenticates their identity and provides access to their accounts.
Forum Credit Union has plenty of company in its need to adopt stronger authentication methods to comply with new regulations. Seventy percent of all identity and access management products sold are bought by companies that must meet new guidelines in banking, healthcare and other highly regulated industries, said Sally Hudson, an analyst with IDC, a research company based in Framingham, Mass.
During the next four years, predicts IDC, IT departments will buy some form of authentication technology if they haven't already. The identity and access management market is expected to jump from $3.37 billion in 2007 to $4.97 billion by 2011.
To manage credentials, IT shops are buying single sign-on technology, smart cards, tokens, one-time password generators and biometrics; and some products combine more than one technology. Single sign-on lets end users log on once to the system and provides access to all the applications they are authorized to use. There are also hardware and software tokens that allow end users to authenticate themselves to gain access to systems and applications.
Credit-card-sized smart cards are usually embedded with an integrated circuit that stores data and may offer encryption and authentication capabilities. The card is loaded with the user's personal data, which can be read by a system's card reader to authenticate the user.
And there is also ID control technology that allows for strong one-time password authentication by sending new passwords to a user's mobile phone or other handheld device every minute or so. An algorithm creates and sends a new password for each login, avoiding password memorization or misplacement issues.
As these technologies push password protection closer to extinction, a fate that Microsoft founder Bill Gates predicts will occur in the next few years, Microsoft has stepped up development in identity and access management for enterprises.
Historically, Windows shops have relied on Active Directory as a base facility to store and manage user identities and authorizations. Today, IT shops have the option of using Microsoft's Identity Lifecycle Manager 2007 product to administer user identities and their associated credentials through certificates with a public key infrastructure. Microsoft also sells its Rights Management Services, which encrypts and grants special access privileges for its Word or Excel documents, for example.
Password protection alternatives to watch
Security vendors, such as RSA Security Inc., now owned by EMC Corp., sell a variety of hardware and software authentication technology, which include smart cards, USB and digital certificates.
ActivIdentity Corp. of Fremont, Calif., and Gemalto N.V. in the Netherlands are two of the biggest makers of smart cards, as well as other security technologies, like single sign-on products.
Other security companies include Entrust of Addison, Texas, which makes a variety of products -- tokens, secure socket layer certificates for security in servers, like Microsoft's Exchange Server 2007 and Office Communications Server. Aladdin Knowledge Systems Ltd., based in Tikva, Israel, makes eTokens for USB-based authentication in Windows NT, Windows 2000 and Windows XP.
But while new technologies try to push the password off of its dominant perch, for many, Gates' prediction of the password's demise might be premature.
"Right now [passwords] are the overwhelming default authentication and they permeate everything we do," said Mark Diodati, an analyst with Burton Group, a research company based in Midvale, Utah. "Slowly, over time, other technologies will be adopted," he added. "I don't think we'll ever see them entirely eclipsed, but there will be other technologies adopted."