The key problem is that passwords are too easily discovered or guessed -- they are often found written down on sticky notes stuck to monitors, for instance. Even when they're not, passwords can often be derived from well-known information about the user such as their birthday, or spouse, partner or pet's name. Further, because it's hard to remember passwords that aren't standard words -- especially as the number of passwords required increases -- the average password can often be discovered by a computer attack. This can be achieved using a dictionary or, more time-consuming but ultimately effective, a brute-force lookup that checks every possible combination of characters.

In a corporate environment, end user education as a cornerstone of company security policy can often be the answer to this problem, along with forcing users to update their passwords regularly, and checking the strength of passwords using cracking programs. For consumer applications however, none of these options is realistic. Give customers what they perceive to be a hard time, and a business risks driving them into the arms of the competition.

The mobile future secured

Passwords on their own are too weak to enable full trust, but the alternative is two-factor authentication, which has proven to be both close to unbreakable and is the strongest form of authentication available. Its drawbacks in a consumer application are that it's also not realistic to expect consumers to carry an additional, special device whose sole function is authentication.


A much better answer is to reap the benefits of two-factor authentication by generating a new password for every authentication using a device that the user already has with them. Research shows that the one device most users both possess and carry with them is their mobile phone.

The way this could work is that the user initiates a transaction, enters their PIN or access code, then the provider of services needing to authenticate someone sends a randomly generated password via SMS to their phone, which they can enter. This proves that they are the right person -- a miscreant is highly unlikely to know the user name, the password and possess the phone. And if they are using a browser, a user must enter their access code into the same browser from which they requested it. The ideal solution would also provide non-repudiation, encryption over the link where possible, and would generate passwords that were truly random.

This form of strong authentication shows huge promise. Trials by a number of service providers suggest there are few drawbacks, with the small cost of sending an SMS being offset by the security of knowing they are dealing with the right person.