# Stump the CIO

There is a question that involves the mainstream that most CIOs don't seem to have an answer to. Here's how I tee it up:

(1)

(2)

Perhaps as Bruce Schneier suggested (in

The problem is that today's second factor authentication (2FA) systems require tokens integrated to the backend servers and applications. The result of this strategy is two major problems (which I believe are insurmountable, given the current approach ofDo you agree with what Bill Gates say that passwords are not good enough and need to be replaced?(SeeGates predicts death of the passwordandGates explains Microsoft security push.)If so, what is your plan to move your IT systems away from passwords?

*backend integration*):(1)

**Token Proliforation**. For two bucks more a month, AOL gives you a token to strengthen your access to AOL. Your company gives you a token to get into the VPN. E*trade gives you a token to secure your trading. EBay gives you one. Your bank gives you one. Pretty soon, you're a walking pocket full of tokens.(2)

**Backend Integration**. The reason the traditional identity management products (in SSO, PKI, directory consolidation, provisioining, etc.) hasn't taken root fully across most enterprises is that they the products require*backend integration*. This is not a winning strategy as you would have to integrate with every app to achieve true enterprise-wide control. Here's how the math would go ... if you have 500 applications in your company, and you're very good and can integrate one app every week into your IdM system (integrate, test, deploy ... to live users), it will take you, what?, TEN YEARS! to finish the job? And this doesn't even take into account that there are apps that are from ASPs (application service providers), for which you have no access to the backend. (BTW, what happens if your CEO goes out and merges your company with another?) So, after the ten years, you introduce the 2FA integration project to begin moving away from passwords. Right. And they'll be world peace.Perhaps as Bruce Schneier suggested (in

*The Failure of Two-Factor Authentication*) 2FA doesn't work, so why bother? I don't happen to agree with Schneier (... but that's my next blog topic ...). If 2FA is needed, and a*backend integration*strategy is not the right one, then how do we get there? How do we move away from passwords? It puzzles me that the industry has not yet developed some sense of where this needs to go.