New York Times article on Single Sign-on: Cryptography vs. Passwords?

The New York Times recently posted an article decrying passwords as an inadequate defense mechanism for security today in a wave of identity theft occurrences. The article goes on to push a cryptography-based approach to log-on systems, touting ‘information cards' that rely on the computer handshake between machines to authenticate a user, or in this case, a site visitor. The article goes on to rail against the OpenID initiative because of its password-driven approach to SSO to access OpenID-enabled Web sites.

I read some of the comments under the article and they are politely saying the same thing - that it would be great if all the servers and users out there used PKI for mutually authenticating each other. Reality: this won't happen unless everyone makes the big switch. Unfortunately major upheavals like this take tremendous investment. Major investment indeed - by a lot of people, companies and policy makers.

Taking a look at a relevant analogy is the transition to fiber optics at home - 30 years ago we knew it was a better technology and it would revolutionize telecommunications *but*, with copper in place for telephone service, who was going to make the investment to solve the 'last mile problem' - the copper that runs between the pole and your phone in the house [not to mention ditching the previous investments put into copper all those years]. Only now, with telcos being allowed to sell new services such as video content, are they incented to invest the billions of dollars required to bring fiber to the house.

So it is with PKI - the notion of using an info card to authenticate is the same strategy tried with PKI almost a decade ago. It failed because it required companies to make a significant investment to not only upgrade their server applications to use certificates, but more importantly, it required all clients to have valid certificates. The investment and expense required couldn't be justified on the basis of improving security, much less to provide SSO convenience. If a company has to choose between turning away customers that don't have info cards or certificates and increasing security - which option would it pick? The existing infrastructure for user authentication will continue to use passwords for a long time just like we lived with copper and analog voice support because the economics aren't there to switch. Using PKI to reduce user convenience issues isn't worth it when other technologies such as enterprise SSO can address those same issues.

Sure, single sign-on in the enterprise and Web-based SSO operate in different realities, but the convenience factor combined with the continuous infrastructure investment already made over the past two decades point to the reality that password-based SSO isn't going anywhere anytime soon. Are there ways to strengthen the security of password-based SSO, while not losing the convenience of it, sure: add strong authentication methods like biometrics to provide two factor authentication - at least there's widespread nearer-term investments that are being made in that area in devices all over the world in every industry.

What do you think about password-based SSO vs. the cryptography/information cards approach to SSO the New York Times wrote about?

-David