Wednesday, April 23, 2003
Death of the password
It may be premature to announce (again) the death of the password, but at least for users of Covisint, it's on its way out. Fascinating short piece in ComputerWeekly this week on a programme in Covisint to replace passwords with "tokens" - I assume USB type tokens or RSA smart cards. The reason it's fascinating (for me at least) is that there are some numbers quoted that I haven't seen before. It costs, apparently, about $100/year to "run" a token (for their community of 120,000 users in 11,000 companies (growing to 200,000 this year). Delphi, they note, has 20 staff just to administer IDs, with many handling calls to help lines no doubt, where 70% of calls are for forgotten passwords and each call costs between $40 and $60. It seems pretty easy to me to do the maths on that and come up with a sound business case. In the past when we've looked at tokens like that for government there have been two issues that stopped us moving ahead: training and technology compatibility. Training is reasonably easy to solve in a closed user community, but can you imagine how hard it would be to educate the UK population (or the online one at least) on how to use an RSA token? Technology, though, would screw you first - the wide variety of browsers, operating systems and whatnot would mean that the help desk would be full of calls complaining that the thing doesn't work. This is a problem that needs to be cracked and lots of people have had a go at it. It might, one day, be smart cards or bank cards with the EMV application in them, it might be some other kind of technical solution but, whatever it is, training and compatibility issues are going to be big costs.
Posted by Alan at Wednesday, April 23, 2003