Stump the CIO
Do you agree with what Bill Gates say that passwords are not good enough and need to be replaced? (See Gates predicts death of the password and Gates explains Microsoft security push.)The problem is that today's second factor authentication (2FA) systems require tokens integrated to the backend servers and applications. The result of this strategy is two major problems (which I believe are insurmountable, given the current approach of backend integration):
If so, what is your plan to move your IT systems away from passwords?
(1) Token Proliforation. For two bucks more a month, AOL gives you a token to strengthen your access to AOL. Your company gives you a token to get into the VPN. E*trade gives you a token to secure your trading. EBay gives you one. Your bank gives you one. Pretty soon, you're a walking pocket full of tokens.
(2) Backend Integration. The reason the traditional identity management products (in SSO, PKI, directory consolidation, provisioining, etc.) hasn't taken root fully across most enterprises is that they the products require backend integration. This is not a winning strategy as you would have to integrate with every app to achieve true enterprise-wide control. Here's how the math would go ... if you have 500 applications in your company, and you're very good and can integrate one app every week into your IdM system (integrate, test, deploy ... to live users), it will take you, what?, TEN YEARS! to finish the job? And this doesn't even take into account that there are apps that are from ASPs (application service providers), for which you have no access to the backend. (BTW, what happens if your CEO goes out and merges your company with another?) So, after the ten years, you introduce the 2FA integration project to begin moving away from passwords. Right. And they'll be world peace.
Perhaps as Bruce Schneier suggested (in The Failure of Two-Factor Authentication) 2FA doesn't work, so why bother? I don't happen to agree with Schneier (... but that's my next blog topic ...). If 2FA is needed, and a backend integration strategy is not the right one, then how do we get there? How do we move away from passwords? It puzzles me that the industry has not yet developed some sense of where this needs to go.