Passwords as we know them could be yesterday's news if two-factor authentication solutions from VeriSign Inc. and RSA Security Inc. catch on with enterprises.

Two-factor solutions combine a pass phrase with a key chain token that continually generates unique passwords that are used only once each time a user logs on to a network. The process is in stark contrast to traditional password solutions, which involve a single, user-generated password that's used continually over a period of time.

VeriSign, of Mountain View, Calif., plans to debut its Unified Authentication managed service this week, which will give enterprises the ability to deploy USB (Universal Serial Bus) tokens to all their users for two-factor authentication, while allowing VeriSign to manage the infrastructure.

Also this week, RSA, of Bedford, Mass., is expected to announce a partnership with a major Internet service provider in which the ISP will give its vast broadband user base RSA's popular RSA SecurID hardware tokens—a first for a U.S.-based ISP.

Both of the new offerings are grown-up steps on the road to eliminating the use of static passwords for authentication, a practice that is several decades old and is considered one of the weaker links in the Internet security chain. Most users, studies show, choose easily guessed passwords, while easy-to-use password-cracking tools are readily available.

To be sure, online fraudsters have not been shy about taking advantage of this state of affairs. The Federal Trade Commission received more than 214,000 complaints of identity theft in 2003, and victims of Internet fraud reported losses of $200 million last year.

One of the best ways around the problem of weak passwords is the use of hardware tokens, which can generate a one-time password that a user must enter, along with his or her user name or a PIN.

The new VeriSign Unified Authentication service will use a hybrid USB token/ smart card from Aladdin Knowledge Systems Inc., of Arlington Heights, Ill., which includes the ability to generate one-time passwords and store user credentials directly on the device.

RSA is betting the technology will help protect online consumers, who, until now, have not had access to this kind of security.

Under the terms of its new partnership, RSA will sell its SecurID cards to the ISP, which will in turn provide them to users of its premium broadband service. Instead of using a screen name and user-chosen password to log in, users will enter a PIN, along with the unique code that the SecurID token generates every 60 seconds.

Two-factor solutions

How they work:

User enters secret, static PIN and presses button on token to generate unique one-time password, then enters that password into PC
Subsequent log-ins require generation of new passwords

Comments
on Sep 21, 2004
I read this a few hours earlier. Good post!
on Sep 22, 2004
I have been using the RSA SecurID keyfob token for a while now to log on to remote systems via a Citrix gateway. It is a really good solution. We are going to see support for this built in to Windows in due course - this has already been announced.