I started a thread a while ago talking about passwords and many of you suggested that there were other solutions such as smart cards, SecureID's and Biometrics. Now, the question is, which is better? We all have our own ideas so here is mine:
It Depends! Yeah, that was a cop out, but at the end of the day, many of the answers depend on your challenges, desired level of security and budget among other things. Over the years I have installed a number of systems for different purposes; Single instance password schemes & Secure password stores for application / network authentication, Secure-ID and smart-card solutions for Remote Access. Biometrics to replace password login on workstations. I do however think that the systems have often missed on big question; How many different passwords should we need? Is the solution a bringing together of the technologies to allow for things like Authentication Federation to allow you to securely sign on in one location and your credentials to be used to gain access to other systems. One such scheme was the Passport. Whatever you think of this, Passport didn't work... so onwards.
I'm ex-RSA and have a great deal of experience using/deploying said technologies including SecurID, Biometrics & Smartcards.
All of these approaches fail if the user's aren't compelled to look after the token(multi-factor authentication device). We've all seen users (even at large software houses based on the West coast of America!) who leave their Smartcard in the reader 24x7x365 & leave both in the laptop bag!!!!
I accept that it's still pretty hard to overcome the PIN mechanism (unless you have an electron microscope) but it's still pretty silly!
Whatever the preferred technical solution they will ALL fail unless an appropriate policy is defined, maintained, signed off by someone powerful(the CISO, the board, a suitable executive) & security awareness activities take place to make sure users understand WHY it's important to comply & that there will be consequences if the fail to observe the policy.
> Biometrics to replace password login on workstations.
This is funny because I just wrote today a note about exactly this subject: http://www.literatecode.com/biometric.php