The End of the Username / Password Paradigm
MSNBC reports today that financial services web sites in some countries are moving to more complex authentication methods as password cracking becomes an increasingly serious security threat.
A Scandinavian bank is experimenting with single-use supplemental passwords mailed to members on scratch-off cards. A Belgian company manufactures a “password calculator” that generates pseudo-random codes based on your primary password, the time of day, and “the unit’s unique characteristics.”
Both solutions seem clumsy and baroque to me, but password security is not an easily resolved issue. Strong passwords are by nature difficult to remember. If you use a secure password keeper like Mac OS’s “keychain” you’re totally screwed if you happen to forget your one master password. As a result, users choose passwords that are simple and easily cracked. There just isn’t much that service providers can do about it at this point. User education can go a long way, but I think this problem is still a few years from a real solution.
How about you? Does anyone else out there have a great idea for the authentication system of the future?
