Gates calls for the end of passwords

By Bill Brenner, Senior News Writer 14 Feb 2006 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

SAN JOSE, Calif. -- Microsoft Chairman and Chief Software Architect Bill Gates used his RSA Security conference keynote Tuesday to outline a future where passwords have gone the way of the dinosaur, multi-factor authentication is the norm and cyberspace functions within a "trust ecosystem."

Gates said trust ecosystems exist in the physical world, where those who break the trust can suffer a damaged reputation or be convicted of a crime. He said the concept must be extended to the Internet through more trustworthy code and devices, and outlined steps the software giant is taking to get there.

"Passwords are the weak link," Gates told his audience. "We need to move in the direction of smart cards, and multi-factor authentication must be built into the system itself. We need the ability to track what goes on and have a built-in recovery system."

While the vision sounded good on paper, some attendees were skeptical.

Microsoft has acknowledged the need to move beyond passwords before, said Ken Russ, a security infrastructure specialist. But the company's last attempt at authentication technology, the Passport single sign-on service, was unsuccessful.

"They had to abandon their previous attempt, and establishing trust between multiple companies is a difficult task," Russ said. "I don't know if any one company--including Microsoft--is up to the task."

Gates' Compass for Security Bill Gates outlined four ingredients for a more secure computing world in his RSA keynote Tuesday:   1.Trust Ecosystem: An environment that engenders trust and accountability between people, businesses and code. This accountability can take many forms, ranging from damage to a reputation or expulsion from a group to something as severe as a conviction for a criminal act.   2. Engineering for Security: Security must be considered at every step in the product development process. Security should no longer be an afterthought, but a guiding principle from the very beginning of development.   3. Simplifying Security: Security is too complex for all users. IT pros need their jobs to be easier, and need the cost and complexity of security to be reduced. Developers need security-conscious interfaces, tools and guidance to embrace secure development practices in their work. Consumers need security that is "just done for them."   4. Fundamentally secure platforms: Confidentiality, integrity, availability and accountability must be built into the platform, and customers should be able to assess the confidentiality and state of devices and networks. A Webcast of Gates' keynote, complete with InfoCard and Windows Vista demos, is available online.

That skepticism aside, Gates sounded like a man determined to toss passwords onto the trash heap of history and usher in an era where cyberspace is built around the trust ecosystem.

Microsoft is working with industry to build up an Identity Metasystem--a way in which users and Web sites can more safely and privately trade personal identity information online, Gates said. To that end, the company will roll out "InfoCard," the working name for a new feature that "simplifies and improves the safety of accessing resources and sharing personal information on the Internet. His keynote included a demonstration of InfoCard.

Gates said InfoCard will be delivered as part of WinFX, Microsoft's managed code programming model, and will support Internet Explorer 7 on Windows Vista, due out later this year, as well as Windows XP Service Pack 2 and Windows Server 2003 Service Pack 1 and R2.

Microsoft will also use the future release of Windows Server--code-named Longhorn--to pack more ID management punch into Active Directory, Gates said. That extra punch will include services for rights management, certificates, Meta directory and federation ID.

Gates also unveiled the first beta of the Microsoft Certificate Lifecycle Manager, which the Microsoft Web site describes as a "policy- and workflow-driven solution that streamlines the provisioning, configuration and management of digital certificates and smart cards, and increases security through strong, multifactor authentication technology."

He said the goal is to move beyond passwords in three to four years.

While these activities are all part of developing a trust ecosystem, Gates said the tech industry must also focus on three other goals to achieve a more secure future:

The first goal is better security engineering. This means training engineers to think about security from the very beginning, during the code-writing process. Gates said industry partners should follow Microsoft's lead and share their best practices for developing more secure code. As an example, he cited Microsoft's implementation of the Security Development Lifecycle (SDL), which has been made publicly available for developers, including its code-scanning tools such as PREfast and FxCop in Visual Studio 2005.

Gates' second goal is simplifying security so it is transparent to users, easier for IT professionals to implement and simpler for developers to write their code around. Microsoft's efforts in this area include the Windows Security Center in Windows XP SP2 and Windows Vista. Security Center is designed so the status of security measures is easily visible for consumers. Another example Gates addressed was Windows OneCare Live, developed to improve overall PC health instead of focusing on merely one need, according to the Microsoft Web site.

The third goal is building a "fundamentally secure platform" that "maintains the confidentiality and integrity of information and resources, regardless of whether information is being stored or transported across devices, services or networks," Gates said. He then used Windows Vista as an example.

Vista will include a feature called Windows Service Hardening, which restricts critical Windows services from doing potentially malicious activities in the file system, registry, network or other resources that could be used to allow malware to install itself or attack other computers, Microsoft notes on its Web site. Another key feature is a built-in anti-malware tool called Windows Defender. Gates said the free beta download for Defender is now available for customers using Windows XP, 2000 and Server 2003.

Tags: Enterprise Single Sign-On (SSO),  Security Token and Smart Card Technology,  Password Management and Policy,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Enterprise Single Sign-On (SSO) Changing times for identity management Kerberos configuration as an authentication system for single sign-on How to use single sign-on for Web access control to prevent malware Learn about enterprise strategy for server virtualization single sign-on Enterprise single sign-on: Easing the authentication process Exploring authentication methods: How to develop secure systems User provisioning and SSO for PeopleSoft- and Unix-based products Sun launches open source OpenSSO for identity management Pre-requisites for implementing enterprise single sign-on (SSO) Startup Symplified delivers SSO in the cloud Enterprise Single Sign-On (SSO) Research Security Token and Smart Card Technology Risk management must include physical-logical security convergence RSA researcher Ari Juels: RFID tags may be easily hacked Portable security storage device could replace OTP devices Can you combine RFID tag technology with GPS to track stolen goods? Security token and smart card authentication Hackers can target embedded smart card chips What should an enterprise look for in a password token and a vendor? Are smart cards insecure if Mifare Classic RFID encryption is cracked? What are good features to look for in access control software? Secure Computing SafeWord 2008 product review Password Management and Policy Best practices for a privileged access policy to secure user accounts Mature SIMs do more than log aggregation and correlation PCI compliance requirement 2: Defaults PCI compliance requirement 8: Unique IDs Enterprise password management policy: Finding the balance Ease the compliance burden with automation Security book chapter: The Truth About Identity Theft Recovering lost passwords with Cain & Abel How to conduct a periodic user access review for account privileges How to prevent SSH brute force attacks

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary single sign-on  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary