Lost passwords, lost identity?

Password and username box

Inside the Enterprise: The search for a viable alternative to the humble password has kept IT experts busy for at least a decade.

Both in enterprises, and for companies providing services to the public over the internet, reliance on passwords is a source of concern. They are too easily guessed, hacked, and forgotten.

Yahoo is just the latest company to call time on the password. In the US, the firm is moving towards a system of one-time codes sent via SMS or text messages to users. Already used as an additional authentication step by banks, one-time codes fulfil one of the key tests of multi-factor authentication: something you have, something you know, and something you are.

Passwords are, of course, something we know. The problem is that they are all too easily forgotten. This prompts users to pick either simple passwords "Password" is a favourite - to write them down, or to use one password for multiple online services. Even worse, from an enterprise point of view, are users who reuse a corporate password on a home device, or vice versa.

A one-time code, of the type being developed by Yahoo, replaces something you know by something you have. In fact, it works by requiring two things: the user needs to have both a device, in this case a phone, and the unique code.

Codes are usually only valid for a short period of time, and as the name suggests, can only be used once. But such systems are not flawless. A four-digit code, as Yahoo is suggesting, is not especially hard to crack.

Then there is the physical challenge of sending authentication codes to a mobile device. Phones can be lost, run out of power, or be in an area where there is no signal.

If a user cannot access their device, then the options are either to lock them out of the service, until they can receive an SMS, or fall back on a weaker system of authentication. Typically, that's a password and some basic information, such as the user's mother's maiden name.

None the less, companies are continuing to look at alternatives to passwords, if only to reduce the time and money spend on resetting lost, stolen, or forgotten IDs.

But some identity and privacy experts argue that it would be better if the industry came together and developed a common system, which consumers and businesses cold use for authentication across a range of services, rather than just one.

"It is not just Yahoo doing it, but passwords for them are a nightmare," said Paul Simmonds, CEO of the Global Identity Foundation. "The problem is they are putting in bespoke solutions. So we are moving to yet another bespoke solution. We need to a common solution everyone agrees on, rather than bespoke."

Those alternatives, though, have to appeal to users as well as to service operators.

"Alternatives have to be usable and desirable Robert Lapes, head of identity advisory services at CapGemini. "People must want to use it and be able to use it effectively. We have to work harder at making things easier."

And that will mean no more passwords on a sticky label under the keyboard, please.

Stephen Pritchard is a contributing editor at IT Pro.