Microsoft to abandon passwords

Microsoft has revealed at a security panel at CeBIT that it is preparing to dump passwords in favour of two-factor authentication in forthcoming versions of Windows.

Detlef Eckert, the senior director in charge of Microsoft's Trustworthy Computing initiative, did not specify which form of two-factor authentication would be used in the next edition of the company's operating system, codenamed Longhorn.

But he said that the code would have vastly improved handling of technologies including smartcards and security tokens.

"I believe that the time of password-only authentication is gone," said Eckert. "We need to go to two-factor authentication. This is the only way to bring the level of trust business needs."

The panellists were in broad agreement that better digital identity is essential for the future development of e-commerce.

RSA Security chief executive Art Coviello suggested that the effects were already being felt, pointing out that some Australian banks have recently pulled out of planned web services because of security fears.

"We are at a confidence crisis. For the first time we run the risk of taking a step backwards and the reason is the threat of identity theft," he said.

"In the past we had broad-based attacks that hit indiscriminately, but now a few companies or individuals are targeted by criminals for illicit gain."

Beat Perjes, head of IT security at Credit Suisse, agreed that the problem is severe. "We see the same trends as well," he explained.

"Trust is one of the basic attributes of the banking industry and has been since the Medici's time. We hope that in the future these digital identities will be trusted like a passport is now. They are not at present and the situation is getting worse."

But not everyone saw the situation as doom and gloom. Dr Hellmuth Broda, spokesman for the Liberty Alliance, claimed that efficient digital identities already exist for many people.

"Digital identity is already up and running," he said. "For example there are over 500 million mobile phones in the world. They all have an identity in their Sim cards and that works well for people. The trick is to get [these forms of identity] to work together."

Broda was concerned, however, that a new US database was being used without reference to other countries' resources. This could lead to companies and individuals being refused access to the country on spurious grounds.