News Stay informed about the latest enterprise technology news and product updates.

Gates calls for the end of passwords

Microsoft's chairman outlined a future where code is written more securely and passwords are no more. Can his company get us there?

SAN JOSE, Calif. -- Microsoft Chairman and Chief Software Architect Bill Gates used his RSA Security conference keynote Tuesday to outline a future where passwords have gone the way of the dinosaur, multi-factor authentication is the norm and cyberspace functions within a "trust ecosystem."

Gates said trust ecosystems exist in the physical world, where those who break the trust can suffer a damaged reputation or be convicted of a crime. He said the concept must be extended to the Internet through more trustworthy code and devices, and outlined steps the software giant is taking to get there.

"Passwords are the weak link," Gates told his audience. "We need to move in the direction of smart cards, and multi-factor authentication must be built into the system itself. We need the ability to track what goes on and have a built-in recovery system."

While the vision sounded good on paper, some attendees were skeptical.

Microsoft has acknowledged the need to move beyond passwords before, said Ken Russ, a security infrastructure specialist. But the company's last attempt at authentication technology, the Passport single sign-on service, was unsuccessful.

"They had to abandon their previous attempt, and establishing trust between multiple companies is a difficult task," Russ said. "I don't know if any one company--including Microsoft--is up to the task."

Gates' Compass for Security

Bill Gates outlined four ingredients for a more secure computing world in his RSA keynote Tuesday:  

1.Trust Ecosystem: An environment that engenders trust and accountability between people, businesses and code. This accountability can take many forms, ranging from damage to a reputation or expulsion from a group to something as severe as a conviction for a criminal act.  

2. Engineering for Security: Security must be considered at every step in the product development process. Security should no longer be an afterthought, but a guiding principle from the very beginning of development.  

3. Simplifying Security: Security is too complex for all users. IT pros need their jobs to be easier, and need the cost and complexity of security to be reduced. Developers need security-conscious interfaces, tools and guidance to embrace secure development practices in their work. Consumers need security that is "just done for them."  

4. Fundamentally secure platforms: Confidentiality, integrity, availability and accountability must be built into the platform, and customers should be able to assess the confidentiality and state of devices and networks.

A Webcast of Gates' keynote, complete with InfoCard and Windows Vista demos, is available online.

That skepticism aside, Gates sounded like a man determined to toss passwords onto the trash heap of history and usher in an era where cyberspace is built around the trust ecosystem.

Microsoft is working with industry to build up an Identity Metasystem--a way in which users and Web sites can more safely and privately trade personal identity information online, Gates said. To that end, the company will roll out "InfoCard," the working name for a new feature that "simplifies and improves the safety of accessing resources and sharing personal information on the Internet. His keynote included a demonstration of InfoCard.

Gates said InfoCard will be delivered as part of WinFX, Microsoft's managed code programming model, and will support Internet Explorer 7 on Windows Vista, due out later this year, as well as Windows XP Service Pack 2 and Windows Server 2003 Service Pack 1 and R2.

Microsoft will also use the future release of Windows Server--code-named Longhorn--to pack more ID management punch into Active Directory, Gates said. That extra punch will include services for rights management, certificates, Meta directory and federation ID.

Gates also unveiled the first beta of the Microsoft Certificate Lifecycle Manager, which the Microsoft Web site describes as a "policy- and workflow-driven solution that streamlines the provisioning, configuration and management of digital certificates and smart cards, and increases security through strong, multifactor authentication technology."

He said the goal is to move beyond passwords in three to four years.

While these activities are all part of developing a trust ecosystem, Gates said the tech industry must also focus on three other goals to achieve a more secure future:

The first goal is better security engineering. This means training engineers to think about security from the very beginning, during the code-writing process. Gates said industry partners should follow Microsoft's lead and share their best practices for developing more secure code. As an example, he cited Microsoft's implementation of the Security Development Lifecycle (SDL), which has been made publicly available for developers, including its code-scanning tools such as PREfast and FxCop in Visual Studio 2005.

Gates' second goal is simplifying security so it is transparent to users, easier for IT professionals to implement and simpler for developers to write their code around. Microsoft's efforts in this area include the Windows Security Center in Windows XP SP2 and Windows Vista. Security Center is designed so the status of security measures is easily visible for consumers. Another example Gates addressed was Windows OneCare Live, developed to improve overall PC health instead of focusing on merely one need, according to the Microsoft Web site.

The third goal is building a "fundamentally secure platform" that "maintains the confidentiality and integrity of information and resources, regardless of whether information is being stored or transported across devices, services or networks," Gates said. He then used Windows Vista as an example.

Vista will include a feature called Windows Service Hardening, which restricts critical Windows services from doing potentially malicious activities in the file system, registry, network or other resources that could be used to allow malware to install itself or attack other computers, Microsoft notes on its Web site. Another key feature is a built-in anti-malware tool called Windows Defender. Gates said the free beta download for Defender is now available for customers using Windows XP, 2000 and Server 2003.

Dig Deeper on Single-sign on (SSO) and federated identity

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.