RSA Report: Strong Encryption -- If You Build It, They May Not Come (or It’s the End of the Password as We Know It)
Posted by K.M. Das
K.M. is blogging from the RSAConference2006 in San Jose this week.
One of the themes that appears to be emerging at this year’s RSAConference2006 on information security is that security protocols that are aimed at consumers (e.g., security at e-commerce sites and online banking) and employees (e.g., network authentication or database access) is effective only when the consumer or the employee does not find the measures inconvenient.
The major obstacles to security when it comes to the “good guys” (e.g., when you are not worrying about phishing, pharming, Trojan horses, and the disgruntled employee) are not technological. Rather the biggest hurdle is making the security protocols convenient for the user. Bill Gates emphasized this in his kickoff keynote address, and I heard this repeated at numerous presentations. Numerous vendors hawking biometric devices, smartcards, and USB tokens as part of the RSAConference2006 exposition also emphasized this theme. When a user has to remember ten or twenty passwords—each of has to be at least eight digits long; contain a mixture of uppercase and lowercase letters and numbers; and cannot be identical to the last ten passwords they have had—the user will simply bypass the password system (if they can) or write the passwords down on pieces of paper. As an interesting side note, Whit Diffie (of the Diffie-Hellman algorithm) commented that it was probably safer to write down your password and stick it in you wallet then it was to leave it in a file on your computer, because “your wallet is a lot safer than your computer.” (See our previous report on password proliferation.)
Bill Gates and Art Coviello, CEO and President of RSA Security, Inc., both emphasized during their keynote addresses that the IT industry as a whole and companies that wish to implement robust security methodologies must take steps to ensure that the methodologies are simple and likely to be adopted by the end-user. Of course, as companies attempt to meet regulatory standard that require stronger authentication protocols, any attempt to make the protocols simpler will require a move away from passwords to tokens, smartcards, or other methodologies. Microsoft demonstrated this notion of “simpler security” in a demo of its Windows Vista operating system. What I found most interesting was that Vista’s approach to “simple” security approach assumes that people are going to shift to non-password based authentication systems.
On a personal note, because the theme of the conference this year is “Ancient Vedic Mathematics” with an emphasis on the mathematics of Aryabhatta, a Bollywood-style song and dance number that actually worked in the term “Sarbanes-Oxley” into the lyrics preceded the kickoff keynote address. I suspect you had to be there to appreciate the true horror of the moment.
[Ed. note: We only wish K.M. had a camera-phone with video capability at the event...or not.]