Alternatives to password-protected access on the rise

Dependence upon password protection for computer or network access control leaves companies vulnerable, yet it is the most common form of defense because it's familiar, simple to implement, perceived as inexpensive—and many IT departments don't see much choice.

"Passwords are inadequate protection for many applications," says Burt Kaliski, VP of research at RSA Security. "However, they are most [commonly used] to protect identity because [there aren't] compelling alternatives."

The growing sophistication and professionalism of hackers—and increasing demands from customers, business partners, and regulators for guarantees that data is safe—are issues driving companies to look beyond passwords for PC and network security. While alternatives such as "smart" cards, hardware tokens, biometric systems, and encryption cost more—and are more complicated to implement—they all offer stronger security.

RSA Security offers SecurID, a two-factor authentication system for secure access to any Windows environment. Two-factor authentication combines something a user knows—a personal identification number (PIN)—with something he has—in this case, the SecurID token that generates a new, one-time password every 60 seconds—to guarantee that the person accessing the system is entitled to do so.

A "smart" card, common to financial and retail applications, has a chip that carries the owner's secure identification data. The card is inserted in a reader, and the user types in a PIN to gain system access. Smart cards often are used in conjunction with biometric systems that depend on unique identifiers, such as fingerprints, for higher security.

Arcot Systems offers a cryptographic approach to security. Its software-based combination of standard digital certificates and a patented "cryptographic camouflage" technology creates a tamper-resistant container of the user's digital credentials. The credentials are encrypted, and as a second line of defense, if an unauthorized person tries to access it, the container will deactivate after a few failed attempts.

According to Cambridge, Mass.-based Forrester Research, these password alternatives can run anywhere from $5 to $40 per user in volumes of 100,000 units, and more for smaller volumes.

But password protection isn't as inexpensive as it may first appear. According to studies by Stamford, Conn.-based research firm Gartner, password resets represent 30 percent of all help desk calls, which run to about $25 each. These figures indicate companies may be paying more than they think for less-than-adequate protection.

None of these systems represents a cure-all. "[Each is] only one piece of an overall identity and access management plan," says Kaliski. Such a plan, he adds, includes strong user authentication techniques, access management, and encryption—all working together.