Hate Passwords? You'll LOVE This!

We all want security in our Internet dealings, and yet there is nothing so universally annoying as keeping track of all our user names and passwords -- unless, of course, it's going through airport security. But as someone who carries a corporate smartphone and laptop, I have to enter a password on an hourly basis just to use these basic tools and yes, I'm constantly irritated by that.

That's the environment into which Verizon Enterprise Solutions is actually hoping to bring even more security through a second layer, also called second factor of security. Say what? In addition to announcing availability of its cloud-based Identity Management System in Europe and updated mobile apps for iOS, Android, Windows, and Blackberry devices, Verizon is also adding another layer of security through biometrics or QR codes that goes beyond user names and passwords. (See Verizon Simplifies, Expands ID Management.)

Tracy Hulver, chief identity strategist at Verizon, admits additional layers of security can be a tough sell to folks who are already bad about tracking the user name/password requirements of multiple web sites. That's why the focus has been on how to boost authentication without adding complexity.

The reality is that most security breaches -- 76 percent, to be exact -- occur when user name/password credentials are either too weak or are stolen, enabling the bad guys to gain access to critical information. In the era of expanding online commerce and collaboration, not to mention mobile BYOD and cloud-based services, more of that critical information is networked and thus potentially exposed.

What Verizon is hoping to do through a cloud-based ID management service is replace costly and clunky hardware security tokens with a flexible approach to a second factor that uses either QR codes that can be sent to a mobile phone or a secondary security code that can be sent via text message or a phone call.

The idea is that a consumer or an employee would need to use this secondary layer of security before accessing online information that could include government websites, health care records, corporate information and databases, or even online transactions.

The QR codes could be scanned by the individual's smartphone, but if that option wasn't available, the temporary code could be sent via any of a number of delivery methods -- text, email, or phone -- in sequence until it is received. As a cloud-based service, Verizon's ID management would handle the complexity of which solution is to be used and insure that the second layer of security is implemented.

Smartphones with biometrics, such as the newest Apple iPhones, offer another alternative for second-factor authentication, says Hulver. But those are still limited in deployment and have yet to be proven reliable. There may be false negatives over time after the phone has been in use, for example.

As more of the critical things we do, including managing personal or government loans, banking, education, healthcare, and e-commerce, happen online, adding security to that process seems inevitable. Ultimately, Hulver says, true security and ease-of-use will lead us to universal IDs, which can be used across a number of platforms but will be managed by one entity. Verizon would love to be that entity and is currently working to have such a system in place that is device and service independent. (See Feds Approve Verizon Credential Service and Verizon Earns Fed's OK for Digital Credentials.)

That might smack of Big Brother to some, but it also means a level of convenience that we don't enjoy today, when every new site seems to have different requirements for user names and passwords and just keeping track is a daily challenge. It also doesn't mean we all won't continue to whine about the hassle of meeting security requirements, even as we insist our institutions keep us secure.

— Carol Wilson, Editor-at-Large, Light Reading