At last year's Cloud Identity Summit in Vail I heard a lot about how the password is dead. I expect to hear a lot more this year.
Most of it fit into one of several categories:
- Complaints about why passwords should be dead
- In other words all of the various problems with passwords -- and there are
- Schemes to have various applications depend on someone else's password
- While this is helpful it doesn't kill the password
- Schemes for authentication that don't quite apply.
Last year when talking about DMZ's Gunnar Peterson said "You have to eat what you kill." Meaning you have to provide replacement functionality.
As I was recently reminded by a business analyst co-worker you always have to start with the requirements. So let's list what are the requirements for a password replacement? Well we need to consider the requirements from several view points
- The consumer end-user
- The Business To Consumer (B2C) website developers and admins
- The corporate end-user
- Those developing apps principally for consumption by corporate users
- Corporate IT Security
- Legal departments responsible for reducing the liability of #2 and #4
The password killer that best meets the expectations of all of these groups should become the most widely adopted.
So in the next several posts I will explore what each of these view points want in a password killer
Then I plan on evaluating all of the password killers I find against these criteria.