Once upon a time, companies couldn't give away two-factor authentication services. Now, some are positioning themselves to make big money from it, signaling the possible demise of passwords as we know them.
Some recent examples:
- America Online's Passcode service, in which users get a small handheld six-digit numeric code key. To log onto an AOL account equipped with the service, they'll have to type in the six-digits, which refresh on the device every 60 seconds, on top of using the regular password.
- RSA making its SecurID product available for Microsoft Windows users, saying it'll help "ensure that valuable network resources are accessible only by authorized users" while "simultaneously delivering a simplified and consistent user login experience."
- VeriSign's Unified Authentication managed service, in which enterprises deploy Universal Serial Bus (USB) tokens to all their users and VeriSign manages the infrastructure.
- IBM's new ThinkPad, which includes a fingerprint reader that signs users into all their passwords.
Why do companies seem to be clamoring for something they couldn't be bothered with a couple years ago? One reason: the problematic passwords people need to navigate their networks, said Jonathan Penn, an analyst for Cambridge, Mass.-based Forrester Research.
"Windows 2000 finally gave administrators the ability to enforce strict passwords with a certain number of letters," Penn said. "That created a backlash where people would have trouble remembering their passwords, so they'd write it on a piece of paper and stick it in their desks. Then someone could come along and find it." Two-factor authentication does away with these passwords, he said.
Compliance is another reason, he added. "On the enterprise side, interest in two-factor authentication is all about compliance, data protection and integrity of operations," he said. "Enterprises are looking for a greater sense of accountability. There's greater pressure to ensure people are who they say they are."