The Future of User Security, Part 2

By Dev Zaborav, ITworld |  Opinion

In last week's article, I discussed the dichotomy between the changes in
the needs of user security and the lack of changes in the actual state
of user security -- the measures taken and the problems that exist. The
average computer user does very little to truly protect himself, and
many of the security mistakes users make are the same errors users have
made for the last ten years.

Password security is a real problem for the average user. Simply setting
no password at all on an account or one that is easily remembered and
guessed -- 'welcome' gets used a lot, as do words like the user's first
or last name, favorite sports team, or some other easily-guessed word --
is the easiest solution for users. This is perfectly understandable. A
password has to be something memorable to the user, or he won't remember
it and he'll just write it down somewhere, which, in some cases, can be
even worse than having an easily guessed password.

This isn't just a problem for average users, either. Anyone who uses
passwords must either choose a memorable password -- whether by it being
easily memorable or by a mnemonic device -- or write down the password
to prevent forgetting it. Relying on your memory is a difficult task,
especially when the password is complex enough to stand up against
password cracking programs; but is it more dangerous to rely on a
password simple enough that a user can remember it?

Authentication options -- of which passwords are one -- have three
possibilities. They can be based on something you have (such as a token
or a smart card), something you know (passwords fall under this
category), or something you -are-.

Passwords just won't last in the long term. They require memory -and-
complexity, and that's just too much to put on a normal user who just
wants some basic system protection. Tokens have been a good intermediate
measure, but they are often expensive systems, and it's easy to lose
them; more importantly, it's easy to steal them. That leaves the third
option.

Biometric systems -- systems that measure physical attributes to ensure
that the person logging in is really the person who should be logging in
-- are the most likely course for the future. There are certain
drawbacks to using biometrics -- chief among them being revocation (if
something bad happens, it isn't like a user can be issued a new
thumbprint as easily as he can be given a new password) -- and for
systems that require very high security, there are certainly flaws in
relying strictly on -any- single approach to authentication. However, it
is a very viable approach for the future needs of the average computer
user.

With biometric authentication systems, a user does not have to try to
remember a password or keep track of a token or smart card. There are
already laptops that come equipped with thumbprint scanners -- a user
just presses his thumb against the pad and he's logged right on.

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Answers - Powered by ITworld

ITworld Answers helps you solve problems and share expertise. Ask a question or take a crack at answering the new questions below.

Ask a Question
randomness