As we put more and more information on the Internet, is our name and password enough?

Simply put...NO. Most people who surf the ‘net always use the same user id....well the user id is 50% of the keys to the kingdom. In this light...I don’t blame them.

BUT....

Almost 90% of those folks use the same password for each site. So of them actually use decent passwords. One with upper case and lower case, numbers and occasionally a symbol. That is a good password. For example - Bad password: “saturday” Good password: “$@tUrday”

So the first problem here, is picking a bad password. The second is NOT using the same password on every website you go to. So, let’s just assume you are in the 10%, using the same user id, BUT using a good password. Is that enough? Maybe, for now, but going forward, I think we need more. In the IT industry, we have names for this. Currently, when you have a user id and password, it’s called two factor authentication. Makes sense right, factor on is your user id, factor 2 if your password.

Let’s talk about the ‘next’ step. Three factor authentication. Hmmm sounds like a foreign term...but really it’s not. We are all using a simplified version of three factor on a regular basis...the ATM. Some can argue if it’s two factor or three, but the reality it is cover the key point. To get money from your bank via an ATM, you need your account, your PIN and your ATM card. Something you know and something you have. The beauty is if you lose your ATM card, it should be safe since you still need your PIN. This concept of three factor, I believe is the next step for us when we surf the web. We will continue to use our user id, add a password and then have some third ‘thing’. The most common in use today is a token of some sort (that third factor could be biometric - your finger print, your eye scan, your voice pattern etc. - but that is another topic with it’s unique privacy challenge). So the token. We have seen tokens in various forms, with various challenges. If you have a Paypal account, E*Trade account or some bank accounts, you may have seen the 'Verisign' type token (some serial based, some time based). They have filled the bill for many years, it's great technology, but it's implementation can be tricky, and really, I do see it becoming the 'third factor' everyone of us is carrying. Is there something better? Well YES. Recently I found a solution that overcomes many of the challenges associated with 'tokens'. The technical implementation is purely outstanding. The company behind the Yubikey is top notch. Now don't get me wrong, we still need the websites and rest of the Internet to step up and let us use our Yubikey at all of their sites (Google Apps is in the work!), but it's a very interesting technology to start looking at...and to start now.

How much to I believe in Yubikey being helpful to us 'normal' people? Well enough to partner with them and become an affiliate. If you decided to buy one, click this image below and try one out!

Read more about the Yubikey from Steve Gibson's Securty Now podcast here: Security Now May 8, 2008