While surveys have shown that people are still fond of using simple, easy to remember passwords, the underlying problem is apparently not the simplicity of the passwords, but the log on procedure itself, in which we land on a Web page and type in a string of characters to authenticate our identity. The experts indicated that password based log-ons are susceptible to being compromised in a number of ways. For example, phishers tricking users into clicking to a site designed to mimic a legitimate one in order to harvest the log on information of all who visit the site is a common threat and, once users' passwords have been purloined, the log in details can be used at other sites.
The study of such threats has resulted in experts calling for a fundamentally different model, with the traditional password log on being abandoned in favour of a system that humans play little or no part in logging on. Instead, machines would have a cryptographically encoded conversation to establish both parties authenticity using digital keys that users have no need to see. Users would replace passwords with information cards, icons that are selected when a user is prompted to log on to a web site. Clicking the icon starts a handshake between machines that relies on cryptographic code. While the necessary software for creating the aforementioned information cards is only available on about 20 percent of computers, that number is up from 10 percent a year ago. Ensuring computers have the software to use information card technology is only half the battle, however. Web site hosts must also be persuaded to adopt the information card model for sign-ons.
Progress on information card technology is not expected to be particularly swift, largely because of attention being devoted to the OpenID initiative, which promotes "Single Sign On", meaning that after users log on to one OpenID site they can then gain entrance to all web sites that accept OpenID credentials. Critics of OpenID have stated that, at best, it offers a little convenience and ignores the security vulnerability inherent in the process of typing a password into someone else's Web site. Despite this a number of brand name companies have become signatories of OpenID, including Google, IBM, Microsoft, Yahoo! and Myspace.
Support for OpenID is conspicuously limited, however. The large companies backing OpenID are happy to create an OpenID identity for visitors which can be used at its site but are not willing to rely upon the OpenID credentials issued by others i.e. you can't use Microsoft issued OpenID at Yahoo!, nor Yahoo!'s at Microsoft. This is due to the companies seeing the many ways that the password log on process can be compromised and, as a result, are unwilling to take on the liability for mischief originating at someone else's web site.
Many critics of OpenID are also enthusiastic advocates of information cards. Microsoft and Google are among the six founding companies of the Information Card Foundation, formed to promote adoption of the card technology. The presence of Paypal in the group is also significant. With its direct access to users' bank accounts, PayPal will be inclined to be conservative, and so if it becomes convinced that information cards are more secure than passwords, many more people are likely to climb on board with the new technology.
While unlearning the process of typing a password into a box on a web site may take a while, it seems that learning new habits will be integral in protecting internet users, with computer security experts stressing that logging onto a site should entail a cryptographic conversation between machines, saving us from inadvertently giving away the keys - and our private information.
