Password Replacement: Replacing passwords: in search of the secret remedy

Let's face it, the password hasn't become the most common technique for authentication because of its successful track record. Ever since April 2004, when a test conducted for InfoSecurity Europe showed that more than 70% of London commuters were willing to disclose their password in return for a bar of chocolate, things have never looked quite the same. There's no doubt that the weaknesses of passwords point towards the need to improve user authentication processes in many systems. Persistent user problems remain including: the use of dictionary words or other guessable strings, writing them down, and having the same password on multiple systems. Another problem with passwords is that they are easily shared with other people - and evidence suggests that users are all too willing to betray their own secrets. But finding good alternatives to the password is no easy task. Though by far the most common technique for authentication is the password, its popularity is not necessarily attributable to its success as an authentication method. For example, almost 99% of home users rely heavily upon passwords as a means of authenticating their access to sensitive and personal resources^1, and other findings suggest that heavy IT users can have an average of 21 passwords^2 to remember. But - even after several years of familiarity with security requirements - it is often the users themselves who compromise password protection. Time to search for alternative secrets?