OK, so passwords are insecure but reliable. Stronger authentication methods are secure but may not be reliable. Interesting tradeoff.
By the way, I went into a fair amount of detail with regard to the origins and use of passwords in my article “The Demise of Passwords: Have Rumors Been Exaggerated?” in the ISSA Journal of May 2005 (membership required). I concluded that, while passwords are fraught with problems, they are somewhat effective if the most obvious choices are avoided. My favorite password technique is the one-time password, especially that using “bingo cards” whereby the system generates the coordinates of the characters to be entered by the person seeking to be authenticated. Be that as it may, everyone is seeking the holy grail of a universal authentication approach, simple for the customer, yet strong from the security perspective, easy and cheap to implement and infinitely scalable.
So is Stross contending in his article that Microsoft has come up with the ultimate authentication method? I don’t think so, but I do wonder what he and Microsoft are about. Stross quotes Kim Cameron, Microsoft’s ID guru, as saying “I don’t like Single Sign-On. I don’t believe in Single Sign-On.” I also don’t like SSO for the obvious reason that it places too many eggs in a single basket, so if cracked, the single conduit of access opens up a multiplicity of systems to the attacker. However, SSO is convenient and avoids the need to retain many passwords, for example, and as such has a great deal of appeal to the harried subject.
Popularity: 1%
