It's been mildly amusing to see, once more, a vendor of two-factor authentication call the end of the line for passwords as a security mechanism. We've been around this particular block so many times in the last 20 years that I've lost count.
The latest contributor to this never-ending debate is Steve Watts, co-founder of the tokenless two-factor authentication vendor SecurEnvoy. According to the company's latest press release: "Commenting on reports that a security developer has concluded that password-creation policies are the enemy of secure passwords, SecurEnvoy says that the fundamental issue is that conventional ID/password security is now coming to the end of the line as far as security is concerned."
Ignoring the somewhat tortured press release-speak English, we have here a vendor taking issue with this piece on ZDNet about security developer Cameron Morris. Morris has created an open-source tool called Passfault that predicts the time it takes to crack a specific password -- there's more about it in the article.
Watts' beef is that password strength is a moveable feast and not very well understood, so the answer is obviously something else: two-factor authentication, I suspect. The problem here is that he's confining the scope of the issue to highly controlled enterprise environments. Most two-factor authentication vendors do that too.
There's no doubt that two-factor is stronger than a password alone, especially one that needs to be strong. Weak passwords are clearly to be avoided but their convenience is hard to beat, as strong passwords are hard for most people to remember.
But two-factor authentication may no longer be the solution to this conundrum. Internet services and personal devices like smartphones now find major uses within the enterprise. The reality today is that the division between enterprise and personal environments has all but evaporated. In the course of their jobs, people increasingly access their personal services at work using their personal devices. And enterprises cannot mandate two-factor authentication for access to Facebook, for example, which might well be the chosen method of communication of a key supplier, or a way of communicating with potential customers. All FB wants is a password, and it's not alone.
So I think it's time for security experts to accept that the password is here to stay. As we all know, convenience trumps security any day -- just look at what happens in small companies all the time: sharing of passwords, open passwords, no passwords at all in some cases -- are you screaming on the ceiling yet?
Instead we need to find ways of making passwords work. Personally, I've been through a number of solutions, including a tiny portable password generator that will never, alas, be developed as a cross-platform utility. This has driven me towards KeePass, an open-source password safe which relies on a password to open it -- and you can even boost protection with two-factor authentication. It's cross-platform and has a good ecosystem of plug-ins and other support. Use it together with a cloud service and your passwords are available anywhere.
There are others like it out there but I moot that something like this may well be the way forward in many circumstances.