Infosec Fortune Cookie Friday

Mitigating a risk with a stringent security control can create its own risk: that of business interruption.

Replacing Passwords

NY Times has an article on authentication without using passwords.

The solution urged by the experts is to abandon passwords — and to move to a fundamentally different model, one in which humans play little or no part in logging on. Instead, machines have a cryptographically encoded conversation to establish both parties’ authenticity, using digital keys that we, as users, have no need to see.
...
As users, we would replace passwords with so-called information cards, icons on our screen that we select with a click to log on to a Web site. The click starts a handshake between machines that relies on hard-to-crack cryptographic code.
...
“Users on shared systems can easily set up a simple PIN code to protect any card from use by other users,” Mr. Cameron said.

While I don't deny that passwords have their problems, I want to think this solution over a little. Meanwhile, if anyone out there is awake, I'm curious to hear your thoughts.