Authentication via passwords or certificates?

August 10th, 2008

In a NYT article, Goodbye, Passwords. You Aren’t a Good Defense, author Randall Stross lays out the case against password-based authentication for the Web and argues for approaches that use public key certificates, like Information Cards.

We are all familiar with the problems of passwords — it’s too hard to keep track of multiple ‘strong’ passwords, so we use and reuse one or maybe a few simple ones. These can be all too easily compromised by password cracking, phishing or packet sniffing.

“The solution urged by the experts is to abandon passwords — and to move to a fundamentally different model, one in which humans play little or no part in logging on. Instead, machines have a cryptographically encoded conversation to establish both parties’ authenticity, using digital keys that we, as users, have no need to see. In short, we need a log-on system that relies on cryptography, not mnemonics.

As users, we would replace passwords with so-called information cards, icons on our screen that we select with a click to log on to a Web site. The click starts a handshake between machines that relies on hard-to-crack cryptographic code. The necessary software for creating information cards is on only about 20 percent of PCs, though that’s up from 10 percent a year ago. Windows Vista machines are equipped by default, but Windows XP, Mac and Linux machines require downloads.”

Stross argues that OpenID is not a solution, but just more of the problem:

“We won’t make much progress on information cards in the near future, however, because of wasted energy and attention devoted to a large distraction, the OpenID initiative. OpenID promotes “Single Sign-On”: with it, logging on to one OpenID Web site with one password will grant entrance during that session to all Web sites that accept OpenID credentials.”

I’ve not tried using Information Cards yet, but plan to try it. You start by downloading an identity selector client onto your computer. Microsoft offers CardSpace for windows and DigitalMe seems to be a popular one for various unix systems, including Mac OS X.