Identity management is one helluva paradox. In your daily work life you don't sweat things like smart cards, one-time password tokens and USB tokens. Once you go home as a consumer you're straining to remember your 20th log-in and password.
Google's Cem Paya, who serves on the search giant's security team, highlighted the obvious at Wharton's Information Security Best Practices conference: Passwords are useless, outdated and a security risk.
No argument here. I've been hearing that line for at least a decade now. Yet I'm not exactly carrying around my identity fob or national ID card that works offline and online.
Paya called said the almost immortal password system is "a puzzling divide." "For all the known limitations of passwords they remain primary," said Paya.
Where Paya's talk, which was on federated identity management, differed is that it outlined why passwords persist. When you're yapping with security vendors you always hear the opposite: Passwords stink and we have a better solution (that no prosumer uses). No one quite addresses why we're still using passwords.
So without further ado here are Paya's best guess on why pesky--and pretty insecure--passwords persist:
- There's no business model for issuing IDs to consumers.
- Limiting user choice may annoy people.
- Service providers can't rely on third parties to manage identities--if that third party screws up it's your problem.
- Strong authentication has to be mandatory, but mandating an emerging technology risks losing customers.
- An opt-in policy can harm to customer satisfaction problems. What happens when you need a driver for your USB token?
When will the password officially be retired? I have no idea. And neither did Paya. National ID cards seem to be a non-starter in the U.S. And federated identity management systems are still nascent. Overall though, this password paradox is worth watching. At some point, passwords will die--and you can finally stop writing them on scrap paper taped to your monitor.