Putting password security in users' hands |
 |
By Anne Saita, News Director
02 Nov 2005 | SearchSecurity.com |
|
|
With a slew of new statewide data security laws and federal online banking standards due to take effect, companies are again scrutinizing multi-factor authentication. PC manufacturers are also responding with hardware that's device-ready to operate with a wider variety of access control and authorization options to keep desktops, laptops, mobile devices and the data stored within them from falling into the wrong hands.
But some in the industry fear those efforts can be undermined by a simple password management tool widely available, and used, on Windows desktops.
Most Windows users and administrators are familiar with a tool that lets users locally store numerous usernames and passwords inside their PC. This includes digital identities used to access Web sites holding sensitive financial data or the ingredients for identity theft. It's the dialog box that pops up, usually when logging onto a Web site, to ask if you'd like Windows to remember the information for later use by storing it locally for easy recall. With the average user now possessing almost 20 unique passwords, it's tempting.
It's also incredibly easy for someone to use the same stored information when the user is away from his machine unless it's locked down.
"Most of the browser infrastructure provides this ability to say 'Remember me' and fill in this little form. It's very convenient, and the convenience outweighs the risk -- or so that's what we are led to believe," said Steven Sprague, a member of the Trusted Computing Group. The nonprofit, vendor-neutral organization promotes its open standards for hardware-enabled trusted computing and security technologies across multiple platforms, peripherals, and devices.
Granted, IE can be configured to turn off the feature and no longer offer users the option of storing its passwords. But the proliferation of miscellaneous online identities may make it hard to refuse Microsoft's offer. That's one reason members of the Trusted Computing Group are trying to raise awareness and put pressure on PC manufacturers to embed more authentication options as they're built.
"The challenge with anytime I aggregate information into a file that now holds lots of information on it is that it becomes a target for hackers looking for the information, too," explained Sprague, who also is president and CEO of western Massachusetts-based Wave Systems, which makes a hardware security chip that stores encrypted key information on the motherboard to better protect such secret information.
The biometrics industry also hopes for a boost from the need for better authentication mechanisms.
"Some say that when Windows says, 'Do you want to save this password for the next time you log on?' [it] is really the easiest way for somebody to compromise their identity," said Zavi Cohen, CEO of Orlando-based Zvetco Biometrics, which specializes in fingerprint scans. Cohen says his technology is more tamper-resistant than some other biometrics because it uses silicon-based sensory technology to read the inner layer of skin, not just the more easily spoofed or smudged surface impressions.
Cohen also says IE's password management tool is limited, since it can remember only a limited number of fields during the log-in or purchase process.
He also predicts enterprises, not consumers, will be successful in getting more PC makers to provide more authentication tools in its hardware, be it a smart card reader, USB port for tokens or whatever new device is created to help meet demand.
|
