Will digital certificates replace passwords?
Connecting state and local government leaders
Passwords have long been the standard for identity authentication. But there are limits to memory and scalability with every technique for generating and managing them, and eventually convenience and security clash. Is it time to move to digital certificates?
Passwords have long been the default standard for authentication for information technology access, but they can be notoriously difficult to manage for the enterprise and user.
Secure passwords tend to be difficult to remember, and the number of passwords users need to manage on the job tends to grow.
“The 17 or so passwords I have, it’s not getting any easier to remember them,” White House Cybersecurity Coordinator Howard Schmidt said recently while discussing the administration's National Strategy for Trusted Identities.
Related stories:
Access control is easy — unless you're doing it for everyone
Need to crack someone else's password?
Our picks for the best password strategies
When people forget those passwords, the process of resetting them consumes a significant amount of help-desk resources.
A recent survey by Exostar, a supply chain collaboration company that serves Tier 1 defense and aerospace contractors, found that contractor personnel must manage as many as six sets of passwords to access applications in each segment of the supply chain. Given the number of contractors that contribute to a large Defense Department program, that can amount to a large number of passwords, said Vijay Takanti, Exostar vice president of security and collaboration services.
The number surprised him, because with the expanded use of Web portals, the number of passwords was expected to decrease. But “many large companies have grown through acquisitions,” Takanti said. “It takes time to absorb those acquisitions and integrate applications.”
DOD also has many long-running programs with older applications that are not easily supported by portals or single-sign-on schemes.
Everyone has tricks for managing passwords.
“There are technical solutions for this,” said Ron Ritchey, a principal at Booz Allen Hamilton's technical service practice. “There is also strategy that can be applied.” Ritchey said he does not create a unique password for every account. “That is simply unmanageable. I create categories.”
That can reduce the number of personal passwords from dozens to a manageable handful, each of the appropriate strength. John DiMaria, director of professional services at eFortresses, a security and compliance consulting firm in Atlanta, said he teaches the use of some personal key techniques that users can easily remember for generating passwords. A simple rule for transposing characters on a keyboard can create complex passwords that are relatively easy for the user to remember.
DiMaria also uses an encrypted spreadsheet on a protected thumb drive to store lists of passwords. That reduces the number of passwords that he must remember to two. However, there is the danger that he could lose the drive.
There also are single-sign-on tools for enterprises and password management tools for PCs and mobile devices. But “none of these is entirely satisfactory,” Ritchey said. They all face the limits of scalability or human memory. “At the end of the day, it comes down to risk management.”
An alternative to passwords is a digital certificate. There are millions of them in use, and the number of applications that support them is growing. But “digital certificate technology is not widely used,” Takanti said. Standards for digital certificates have been evolving but aren’t widely adopted. “That is one of the reasons companies have been hesitant to make the investment,” he said.
That could be changing. “I believe the standards are mature, and the technology is becoming a viable alternative,” although there are still hurdles, he said. “Getting legacy IT to accept digital certificates is a challenge. The next challenge is getting people to accept and understand them.”
The defense and aerospace industries are following DOD in adopting the use of certificates. Lockheed Martin, the largest DOD contractor, is using Exostar digital certificates for internal and DOD access control. Other large contractors, including Boeing and Rolls Royce, are following suit.
“In our ecosystem, we are seeing most of our customers moving toward digital certificates,” Takanti said. “We believe in 18 months, we will have reached critical mass” for their use as a second factor of identity authentication.
Don’t expect passwords to disappear. They probably will always be with us. But supplementing them with digital certificates, biometrics or some other second factor of authentication could reduce the number of strong passwords people need to remember to a manageable few, while still maintaining security.