A saintly solution to passwords would be welcome.
"Will somebody rid me of this cursed priest?" I know exactly how Henry II felt. I feel the same way about passwords. Now I'm not advocating the solution is to emulate Henry and encourage the murder of the Archbishop of Canterbury. However, I do think that it is about time, after 50 years, an industry that professes to embrace research and innovation devised something a bit more elegant than passwords to control access rights to IT systems.
Recently ASIC sent me an e-mail informing me that some new correspondence had been delivered to my company account on the ASIC Web site. Alarm bells rang in my head. ASIC is, after all, a corporate regulator. Had I overlooked something? Did I need to submit new information? Was there a bill to pay? I rushed to log in to their Web site. Then it hit me. What was my ASIC account number and password? It has probably been four years since I last needed to access my ASIC account correspondence file. I'm not Steve Vizard. It's not like we talk on a regular basis.
Was this a password that was all numbers or was an alphanumeric required? Had I been able to customize it and if so which of my family, pets or football teams had I selected? Was it four digits, six or even eight? At the back of my mind was the knowledge that I would probably have three strikes and then be out. How would ASIC respond to what they might perceive as a security breach? Would the "feds" be hot on my tail? Crikey! Crikey.com might even get involved.
For some time I've been aware in my discussions with CIOs of a broad recognition that something needs to be done about the password problem. I have heard of a myriad of potential panaceas to the problem. These include single sign-on; biometrics technology and the use of tokens, certificates or smart cards. Yet the reality is that despite a lot of talk nothing seems particularly advanced, particularly as far as the general consumer goes.
My first thought was that biometrics technology, like fingerprint or iris scans, would be foolproof, as it relies on characteristics unique to an individual. Then an IS security manager at a bank put me in the picture. Iris or finger- print scans only digitize a body characteristic. In the end the computer only wants the digitized data - not the iris or fingerprint image. As such, why is that any better than typing the password in the first place, especially since a bleary eye or a sweaty finger might distort the body scan.
Then I thought that single sign-on seemed the answer. However, another person asked how would I feel if all the keys to my house, my car and my office were the same. Wouldn't I worry about the repercussions if one of those keys were lost? I know of a number of IS executives, in legal firms especially, who speak highly of tokens and certificates. However, I do get the impression that these are somewhat cumbersome and not really suitable for the mass market.
I'm still waiting to discover what the best solution will be. However, I do know what happened to Thomas a Beckett after the henchman of Henry II murdered him. He was canonized. Pilgrims flocked to Canterbury just to see his tomb. Perhaps that might be the fate of the individual who eventually helps this industry by coming up with an effective answer to securing user access to a multitude of personal applications.
Peter Hind is a freelance consultant and commentator with nearly 25 years experience in the IT industry. He is co-author of The IT Manager's Survival Guide and ran the InTEP IS executive gatherings in Australia for over 10 years.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.