Someday soon, you’ll be able to forget your passwords and still access all
the secure servers you use now. In fact, no one will have to remember any
passwords at all.
That’s the future that’s quietly being developed by an important but
little-known organization called OATH, the Initiative for Open Authentication.
This group — which includes such powerful high-tech players as IBM,
Verisign, and the Smart Card Alliance — promises to change forever the
way we use computers and networks.
Managing Passwords vs. Eliminating Passwords
In my last two columns, on Dec.
21, 2004, I described some competing approaches that offer
ways to cope with the problems passwords pose:
• Storing A Fistful Of Passwords.
Pass2Go is a new breed of software that you install onto a USB Flash drive.
The program uses a “master password” to protect all of the username/password
combinations that you tell it. Then, when you’re using a strange computer at an
Internet café or library to access a secure server, you insert your USB
device into the computer’s USB port and type your “master password” to access
the hidden password strings. This method is flawed, however, because you can’t
guarantee the public PC isn’t infected with some Trojan horse that could
capture your passwords.
• Carrying An Authentication Device.
For better security, Verisign and other companies are beginning to sell
USB “keys” that don’t store static passwords. Instead, the devices
display a different one-time password (OTP) every time you need to
log in to a distant computer. For even stronger protection, the remote server
can pose to the USB device a mathematical puzzle. This process, known as
challenge/response authentication, can only be satisfactorily completed
by one particular USB key.
• Unifying The Pieces.
USB ports are very common on PCs these days, and USB Flash drives are small
enough to place on a key ring or even within a wristwatch, so it wouldn’t be
hard to carry such a thing around with you. But what if you need to access
several remote servers at different times? Many people need to log on to more
than one bank account, corporate host, or brokerage firm. Will you need to lug
a half-dozen USB devices with you everywhere?
To answer questions such as these, OATH issued a
charter in Denver, Colo., on Oct. 26 that represents a
technical commitment by its 30-some members. You may or may not like the
solutions they’re coming up with to render passwords obsolete, but you’ll
have to admit that the group’s goals are breathtaking.
The Total Elimination Of Passwords
“I would like the elimination of static passwords,” says Bob Blakley, the
chairman of OATH’s joint steering committee. “The burden of authentication
is going to move off the client computer and move onto a device that is
much smaller and more intimately involved with a human being. It might be a
USB token, it might be a cell phone, it might be a wristwatch.”
In his real job, Blakley is chief security and privacy scientist for
IBM, one of OATH’s founding members. He’s come to believe that networks,
including the Internet, can’t be used securely until the establishment of
two-factor authentication — the possession of some physical
object that proves one’s identity, along with a password or PIN.
“One [factor] is a physical thing that you’ll notice if it goes missing,”
such as your keychain or cell phone. “And it can’t do the same thing
every time.” That’s because static passwords are too easily guessed at or
eavesdropped on. By contrast, there are many pocket-sized electronic gizmos
today that are smart enough to give a different, valid answer to a remote
server every time.
Many Ways To Solve A Single Problem
Devices with enough memory to handle one-time passwords and challenge/response
authentication methods include “smart cards” with digital circuitry and PDAs
(personal digital assistants) such as Palms and Pocket PCs.
Most consumers don’t carry any of those devices, however. So the focus of
two-factor authentication has necessarily moved to devices that can be
given out cheaply — such as $10 USB Flash drives — or tools
already owned by a broad range of consumers, such as smart phones.
Stu Vaeth, chief security officer of Toronto-based development firm
Diversinet, is deeply involved in creating software small enough to fit on
USB keys and higher-end cell phones. As a member of an OATH technical
committee, he played a role in the group’s first major accomplishment:
the publishing in October of a formal
standard for the calculation of one-time passwords.
“The heart of it,” Vaeth says, “is agreeing on an algorithm that the client
and server can use.”
The current version of software that Diversinet has developed to implement
OATH’s proposed OTP standard requires only 64 to 128 KB of disk space to install
and no more than 45 KB to run, according to Vaeth. That’s more storage than
you find on a basic cell phone today, but it’s an amount that’s easily
available on almost any programmable smart phone, PDA, or USB drive.
One-time passwords would be useless to any hackers who successfully
eavesdropped on a computer session. As a result, OTP will probably be
the first part of OATH’s vision to be widely adopted to strengthen authentication.
But Vaeth expects that other approaches OATH is considering will also be formally
proposed to Internet standards bodies soon. Those approaches include
challenge/response authentication, in which a remote server establishes a
communications session to verify the physical device a user is carrying, and PKI
(public key infrastructure), involving the deployment of hard-to-fake
Each of these schemes, OATH members believe, can be implemented in such a
way that any compliant device could be used to authenticate any user. That
means you wouldn’t have to carry around a half-dozen googaws — just one
would be enough to prove to a server that you are who you say you are.
OATH’s proposals, if fully adopted, would mean big changes for end users who
can now simply type in their e-mail address and their dog’s name to access
everything from their local bank to their corporate headquarters.
Big changes may be just the thing we need, though. Virulent hacker attacks are
spreading wildly and rampant identity fraud is exploding geometrically,
disrupting consumers and enterprises alike. So installing a tiny authentication
program onto USB keys, cell phones, or whatever a company’s employees happen to
have is a small inconvenience that should be welcomed with open arms by users
who never liked memorizing passwords in the first place.
For information on OATH’s big plans, visit