When I was a kid, it seemed like Penicillin was the wonder drug that cured all. Well, actually Bactine cured all - but if you still had to go to the doctor after your mother sprayed Bactine on you, Penicillin was always the answer. Over time we learned that Penicillin didn't solve all the world's problems and that some bacteria evolved to be Penicillin resistant, but even so - Penicillin is pretty good stuff, cures lots of illnesses.
Moving away from passwords to some form of strong authentication is the same thing. Many, but not all, security problems will be solved if we can get away from reusable passwords. Here's a simple example: imagine if ATM machines didn't require an ATM card to dispense cash. Anyone who knew your account name and PIN could walk up, type them in, and empty your account. There is still ATM fraud today - cards can be counterfeited, PINs stolen or guessed, etc - but imagine the level of problems we would have if physical possession of the ATM card was not part of ATM security.
In the security world, it is popular to always point out that any advance in security won't solve all the problems. As the revenue in the security industry has grown, "security in depth" has come to mean "well, that may solve some problems but to be really secure you still need to spend on me."
Penicillin doesn't solve all the world's problems, either, and using it inappropriately can actually cause worse problems. However, doctors would be buried in malpractice suits if they didn't prescribe Penicillin in those myriads of cases where it will cause a leap in wellness. Ditto with strong authentication - it is a key step forward in increasing Internet security, even though it doesn't represent the end game.
The next big leap is a PC hardware architecture and desktop OS architectures that have higher levels of security built-in. That can't happen to at least 2007, getting more authentication tokens in use and the prices down by then is a very important step.
Love the Penicillin analogy. I have heard two-factor authentication described by a consultant as "the biggest bang for your security buck". Of course, as a two-factor vendor I'm biased.
I think the lack of two-factor is mostly an ignorance of the risks on the part of non-IT people and partially cost - but also the hassle of hardware tokens.
Posted by: Nick Owen | 11 March 2005 at 09:16 AM
I don't think there has been ignorance of risks, mostly a real *absence* of incidents. Phishing and spyware changed that - thus much more willingness by enterprises and ecommerce companies to try to move beyond reusable passwords.
I used to describe reusable passwords as a boulder in a valley - very hard to dislodge. Everyone liked to think they were a marble on a mountaintop, but it required a combination of real threats (real gain in moving away from reusable passwords) and reduced cost approaches (less pain)
Posted by: Sec Nerd | 14 March 2005 at 08:27 AM
Metal Detectors In Schools Violate Students' Rights - Or vary with different security methods and you have another persuasive speech topic
Posted by: imitrex midrin | 27 June 2007 at 03:41 PM
Very good web site, great work and thank you for your service.+
Posted by: richard | 02 August 2007 at 03:49 PM