With Richard Moulds, vice president of marketing, nCipher. Late last year, nCipher introduced what it says is the first embedded hardware security module.
Question: Are passwords going to disappear during 2007?
Moulds: It's unlikely that it will [happen] overnight. Passwords have been here many decades and will be for many decades to come. In certain circumstances, they might disappear from the view of most users, but not necessarily disappear from the organization as a whole. The [reason will be] the rise of technologies such as single sign-on within the organization. I think there will be a fairly strong rush toward the use of stronger authentication. 2007 could be the year of smart cards, therefore in the background could be the year of PKI. ... I think that a lot of it is driven by Microsoft.
Question: What will the evolution look like?
Moulds: There are two [potential] paths. [One is the use of] password tokens, such as RSA's SecureID. The thing is that it is relatively expensive. It would not be given to every user. What you would do is select high-value users. Perhaps a commuter, maybe remote workers, maybe stock traders -- people who justify that kind of money. But that leaves the majority on passwords. That's a very selective approach, a very tactical approach to a specific group of users. The alternative track is the use of PKI, in which organizations bite the bullet, get religion, and sign up to PKI lock, stock and barrel and give users technology, such as smart cards, which usually are PKI-based. One is a wholesale shift to PKI -- with all its problems -- the other a much more selective, much more limited approach.
Question: What is the major challenge with PKI?
Moulds: The problem with PKI is that a lot of systems in an organization, a lot of applications that users may log onto, are not equipped for smart cards or PKI. So even though tokens are given to users, there is a problem in enabling infrastructure to actually authenticate. It's one of the barriers and one reason PKI has struggled to take off. So what has happened in the last few years is that people have used enterprise single sign-on. This is a device or system that sits in front of applications that use the fancy PKI application. The SSO then uses passwords essentially as agents to get onto the applications. So SSO is a way of overcoming one limitation. Those applications are not PKI-enabled. Passwords are still going to be used to get into the applications. What's interesting about that [is that] the server can use passwords far stronger than the user can. So where the person uses "Manchester United" as their password, the server can use "j9u8f9k##/." So therefore passwords haven't gone away. The use of passwords has gone from weak passwords … to much more rigorous, quality-centric passwords. In 2007, we will see user-oriented passwords disappear quite quickly. What will remain are backend system-to-system passwords.
This 3 Questions originally appeared in a weekly report from IT Business Edge.