Gates predicts death of the password

During his keynote speech at the RSA Security conference in San Francisco on Tuesday, Microsoft's chairman Bill Gates predicted the demise of the traditional password because it cannot "meet the challenge" of keeping critical information secure.

His comments came at the same time that RSA said it had been working with Microsoft to develop a SecurID solution specifically for Windows. Both companies agreed there is a need to remove the vulnerabilities associated with employees using weak passwords.

SecurID is the best known two-factor authentication system and is used by many large enterprises. It generates a constantly changing sequence of numbers that the user has to type in alongside their normal password or a pin number. Creating a specific system for Windows should mean that rolling out strong authentication across an enterprise will be far easier and cheaper.

Gates said: "There is no doubt that over time, people are going to rely less and less on passwords. People use the same password on different systems, they write them down and they just don't meet the challenge for anything you really want to secure."

However, Gates also admitted that Microsoft would not be using the SecurID system internally because it had opted for a smartcard-based system -- with the help of RSA. "Microsoft recently moved to a smartcard approach and a key partner in this was RSA," he said.

Microsoft also demonstrated its own "tamper resistant" biometric ID-card software that can be used by both small and large companies to create ID cards using a digital camera, an inkjet printer and a business-card scanner.

The tamper resistant ID-card software has been developed by Microsoft's research arm and was demonstrated during Gate's keynote. To create an ID card, the software requires a photograph and some basic information about the user, for example, name and date of birth. This information is put through an algorithm to create a digital signature in the form of a barcode, which is also printed onto the ID card. If any of the information on the ID card is altered, it will not correlate to the signature and the card is rejected.

Gavin Jancke, development manager at Microsoft Research, who demonstrated the product, said one of the key aspects of the system is that it does not require a database because all the information is already stored on the card: "The authenticity ID is stored in the printed information in the card itself. There are no user privacy issues because we know that what is stored on this card is stuff that they can actually see," he said.

Jancke said the system could also be used to store fingerprints or an eye scan: "This system is also extensible, so we can include other biometric information, such as iris or fingerprint. It will still maintain the same tamper resistancy on ordinary paper or plastic printed media," he said.