The Future of User Security, Part 2

In last week's article, I discussed the dichotomy between the changes in

the needs of user security and the lack of changes in the actual state

of user security -- the measures taken and the problems that exist. The

average computer user does very little to truly protect himself, and

many of the security mistakes users make are the same errors users have

made for the last ten years.

Password security is a real problem for the average user. Simply setting

no password at all on an account or one that is easily remembered and

guessed -- 'welcome' gets used a lot, as do words like the user's first

or last name, favorite sports team, or some other easily-guessed word --

is the easiest solution for users. This is perfectly understandable. A

password has to be something memorable to the user, or he won't remember

it and he'll just write it down somewhere, which, in some cases, can be

even worse than having an easily guessed password.

This isn't just a problem for average users, either. Anyone who uses

passwords must either choose a memorable password -- whether by it being

easily memorable or by a mnemonic device -- or write down the password

to prevent forgetting it. Relying on your memory is a difficult task,

especially when the password is complex enough to stand up against

password cracking programs; but is it more dangerous to rely on a

password simple enough that a user can remember it?

Authentication options -- of which passwords are one -- have three

possibilities. They can be based on something you have (such as a token

or a smart card), something you know (passwords fall under this

category), or something you -are-.

Passwords just won't last in the long term. They require memory -and-

complexity, and that's just too much to put on a normal user who just

wants some basic system protection. Tokens have been a good intermediate

measure, but they are often expensive systems, and it's easy to lose

them; more importantly, it's easy to steal them. That leaves the third


Biometric systems -- systems that measure physical attributes to ensure

that the person logging in is really the person who should be logging in

-- are the most likely course for the future. There are certain

drawbacks to using biometrics -- chief among them being revocation (if

something bad happens, it isn't like a user can be issued a new

thumbprint as easily as he can be given a new password) -- and for

systems that require very high security, there are certainly flaws in

relying strictly on -any- single approach to authentication. However, it

is a very viable approach for the future needs of the average computer


With biometric authentication systems, a user does not have to try to

remember a password or keep track of a token or smart card. There are

already laptops that come equipped with thumbprint scanners -- a user

just presses his thumb against the pad and he's logged right on. There

is even a thumbprint-scanning mouse that can be used for logging on to a

computer or a network.

These systems are far from perfect. They're expensive, they're hard to

get used to, and it will be a few years before they will be appropriate

for the average user. However, just as the standards of antivirus

software must change to move away from the string-matching model to keep

up with the needs of users in a changing Internet environment, so must

authentication move away from reliance on passwords. Biometric

authentication methods may very well be part of the future of user


ITWorld DealPost: The best in tech deals and discounts.
Shop Tech Products at Amazon