Peter commented: #That users know passwords and they "work" is a large part of the problem #with passwords: the same low entropy security token is used for multiple #systems with varying levels of sensitivity. When using passwords, both the #user and the end systems must, in general, be trusted with the security #token; so say a user uses the same password on 20 services then *all* of #those services must be secure *and* the user must keep the password secure.
I'd suggest that there are some options that can reduce the credential explosion while avoiding inadvisable reuse of credentials on multiple systems, e.g., federated authentication as implemented with Shibboleth via federations such as InCommon (ObDisclaimer: I work with Internet2 and InCommon, although not on federated auth per se (other than as a user)). One credential, issued by one's home institution, but usable in a privacy preserving and secure way across multiple providers.... I think that's a huge win for users and for the sites that work with them, and this is certainly a theme/objective of the current US NSTIC (National Strategy for Trusted Identities in Cyberspace) work. I'd also suggest that might be helpful to frame the discussion in terms of NIST 800-63 levels of assurance. Passwords will work for LOA-1 and LOA-2, but if you need LOA-3 or LOA-4, they won't. (Obviously the various LOAs involve more than just use of passwords or multifactor authentication, but for the purpose of this discussion, let's just focus on that one aspect of LOAs for the time being) Of course, one problem that we sometimes run into (at least in higher ed) is that it can be hard to find an application that motivates going all the way to LOA-4. Pretty easy to dredge up use cases that motivate people to get to LOA-3 and multifactor, but LOA-4, well that's a bit trickier. Regards, Joe Disclaimer: all opinions strictly my own _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
