Beyond Passwords

Computerworld - In the city of Stockholm, 85,000 elementary school students log on to servers inside the city LAN to get their classroom resources. And just like the end users in most businesses and municipalities, the Stockholm students often forget their passwords. Plus, teachers are stuck with the burden of issuing new passwords every 100 days in accordance with city policy.
But corporate America could learn something from the network professionals in Stockholm. In October, the school district embarked on a new authentication method with something they don't need to memorize and can't lose: their fingerprints.
The city's 450-seat pilot project is just the beginning. By March, the $100 fingerprint readers from Bellevue, Wash.-based Saflink Corp. should be in use on all of the school district's 25,000 computers, says Samir Hamouni, project manager in Stockholm's executive IT department. And by next year, he anticipates that all city government workers - 120,000 computers in all - will authenticate using smart cards, tokens or biometrics.
Passwords aren't the only game in town anymore. The smart card and token market is already heating up. What was a $314.5 million market in 2000 will reach $2.2 billion in 2005, according to a November study by IDC in Framingham, Mass. The biometrics market, dominated by fingerprint readers, is also starting to grow, from $119 million in 2000 to a projected $887 million in 2005.
This isn't a situation in which only one technology will prevail, because sophisticated companies may use multiple techniques for network user authentication.
"I think there's going to be a high degree of synergy between biometrics, smart cards and tokens as larger companies broaden their installation of multifactor authentication to a greater number of users," says Chris Christiansen, security research director at IDC. "I like the analogy of apartment doors in New York City. They don't just have a lock. They have a slew of locks and chains and even steel bars."
Despite the many methods available, user authentication falls into one of three broad categories: what you know (passwords, personal identification numbers or other forms of challenge response), what you have (smart cards, tokens or computer hardware identifiers such as serial numbers or IP addresses) and what you are (biometrics). Each form has its drawbacks and benefits, says Richard Smith, author of Authentication: From Passwords to Public Keys (Addison-Wesley, 2001).
For example, there's no way yet to dole out tokens or smart cards to millions of customers for big business-to-consumer applications, so passwords and PINs with Secure Sockets Layer encryption are still the