Recently in a break-out session at a major conference on identity management, I was privileged to ask the speaker, the CTO of globally known luxury car maker: “Does the information security industry provide what you need?”
After all, we’ve had years working with passwords, strong passwords, tokens, apps which receive or create on-the-fly one-time codes, not to mention biometrics and a huge number of variants on the above. Surely by now the industry creating all these things has got it right and is offering this gentleman and his colleagues exactly what they need?
Yet he struggled with the question momentarily and answered: “No”.
Asked why, he explained there were simply too many systems, too much for employees to learn, and critically there was too much for the average CTO – who he believed on average remained in post for four years – to sift through in that time, searching for the “ideal” system.
A few weeks later, I asked the same question of a number of visitors at the InfoSecurity Europe show,Earl’s Court. Most shrugged and pointed out that if the ideal system existed, there’d be no need for such a show.
Granted things do move on and hackers don’t stand still in terms of skill and the tools available to them, so I’m prepared to accept that what might have been an ideal system, has become long in the tooth and a replacement has had to found.
Nevertheless I’ve long felt – and I’d be interested to know if others agree – that there is a yawning gap between applications where passwords are still used, and those where a product or device supplied by the infosecurity industry is deployed. At a rough guess, the password continues to be used in 99 point something percent of all logins or transactions, leaving the more sophisticated end of the secure login market to sort out a tiny percentage.
Surely we need to do something about this? Make it so that, as the security of fixed user-IDs (passwords, PINs and combinations) become ever more “broken”, there’s something cheap enough, sustainable enough and easy-to-use enough to step into the breach?
Another way of looking at this, is how on earth did we ever get this far, creating the Internet and a whole host of systems requiring users to identify themselves to computers and systems, without ever stopping to ask: “What the hell do we do when the password is no longer secure enough?”.
Recently in a break-out session at a major conference on identity management, I was privileged to ask the speaker, the CTO of globally known luxury car maker: “Does the information security industry provide what you need?”
After all, we’ve had years working with passwords, strong passwords, tokens, apps which receive or create on-the-fly one-time codes, not to mention biometrics and a huge number of variants on the above. Surely by now the industry creating all these things has got it right and is offering this gentleman and his colleagues exactly what they need?
Yet he struggled with the question momentarily and answered: “No”.
Asked why, he explained there were simply too many systems, too much for employees to learn, and critically there was too much for the average CTO – who he believed on average remained in post for four years – to sift through in that time, searching for the “ideal” system.
A few weeks later, I asked the same question of a number of visitors at the InfoSecurity Europe show,Earl’s Court. Most shrugged and pointed out that if the ideal system existed, there’d be no need for such a show.
Granted things do move on and hackers don’t stand still in terms of skill and the tools available to them, so I’m prepared to accept that what might have been an ideal system, has become long in the tooth and a replacement has had to found.
Nevertheless I’ve long felt – and I’d be interested to know if others agree – that there is a yawning gap between applications where passwords are still used, and those where a product or device supplied by the infosecurity industry is deployed. At a rough guess, the password continues to be used in 99 point something percent of all logins or transactions, leaving the more sophisticated end of the secure login market to sort out a tiny percentage.
Surely we need to do something about this? Make it so that, as the security of fixed user-IDs (passwords, PINs and combinations) become ever more “broken”, there’s something cheap enough, sustainable enough and easy-to-use enough to step into the breach?
Another way of looking at this, is how on earth did we ever get this far, creating the Internet and a whole host of systems requiring users to identify themselves to computers and systems, without ever stopping to ask: “What the hell do we do when the password is no longer secure enough?”.
Recently in a break-out session at a major conference on identity management, I was privileged to ask the speaker, the CTO of globally known luxury car maker: “Does the information security industry provide what you need?”
After all, we’ve had years working with passwords, strong passwords, tokens, apps which receive or create on-the-fly one-time codes, not to mention biometrics and a huge number of variants on the above. Surely by now the industry creating all these things has got it right and is offering this gentleman and his colleagues exactly what they need?
Yet he struggled with the question momentarily and answered: “No”.
Asked why, he explained there were simply too many systems, too much for employees to learn, and critically there was too much for the average CTO – who he believed on average remained in post for four years – to sift through in that time, searching for the “ideal” system.
A few weeks later, I asked the same question of a number of visitors at the InfoSecurity Europe show,Earl’s Court. Most shrugged and pointed out that if the ideal system existed, there’d be no need for such a show.
Granted things do move on and hackers don’t stand still in terms of skill and the tools available to them, so I’m prepared to accept that what might have been an ideal system, has become long in the tooth and a replacement has had to found.
Nevertheless I’ve long felt – and I’d be interested to know if others agree – that there is a yawning gap between applications where passwords are still used, and those where a product or device supplied by the infosecurity industry is deployed. At a rough guess, the password continues to be used in 99 point something percent of all logins or transactions, leaving the more sophisticated end of the secure login market to sort out a tiny percentage.
Surely we need to do something about this? Make it so that, as the security of fixed user-IDs (passwords, PINs and combinations) become ever more “broken”, there’s something cheap enough, sustainable enough and easy-to-use enough to step into the breach?
Another way of looking at this, is how on earth did we ever get this far, creating the Internet and a whole host of systems requiring users to identify themselves to computers and systems, without ever stopping to ask: “What the hell do we do when the password is no longer secure enough?”.