The password is…"Archaic"
A customer forwarded this article from the New York Times, on new authentication mechanisms. The author is cheerleading a bit for “information cards” which would act a little like your ATM card; the idea would be that each computer would have a reader where you would insert your card and type in a PIN; after you’d done that, you’d have access to all of your sites.
Authentication can have three factors: something you are (fingerprint, retinal scan), something you have (your ATM card or these information cards), or something you know (your password or PIN). Security experts recommend two-factor authentication for important stuff; you use two-factor authentication when you go to the bank, insert your card and use your PIN. Two-factor authentication means that the password can be a lot simpler, because one of the other factors is acting as a second check.
However, two-factor authentication is not foolproof, either; there have been sophisticated ATM scams where thieves installed a magnetic stripe reader over the normal slot, with a video camera to record the user’s PIN as they type it. One of the things about information cards is that you may have to use them in untrusted environments; if you’re traveling and want to check your email, nothing will protect you from the hacked machine at the internet cafe where you put in your card.
On campus, IST is developing what they’re calling “second level authentication” which can be used for security-sensitive web-based applications. This would augment the security of your CalNet ID; for a sensitive application like HRMS, you would log in with your CalNet ID, but then also input a PIN using an on-screen keypad. This does not qualify as two-factor authentication, because both authentication tokens are “things you know,” but it should make those applications somewhat safer.
There is also a significant effort underway on campus and at UCOP to set up an “identity management” (IdM) system. IdM attempts to combine authentication (verifying who the person is) with authorization (verifying what the person should have the rights to access). Right now CalNet is basically an authentication system; each application which uses CalNet ID must maintain their own list of which CalNet IDs are allowed to access the application. IdM would provide a central place to store information about each user’s access rights, and also provide a way (through “federated identity management”) to communicate authorization to external entities, like UCOP or a third-party vendor. UC Davis recently did a pilot to see if GMail could provide email for students; in the pilot, students were able to use the UC Davis equivalent of a CalNet ID to log in to their UC Davis GMail account. Federated IdM has come a long way in the last year or two (mostly through the Shibboleth project), and I expect we’ll start to see many more of these kinds of arrangements.
