The Password Problem

For occasional private use, passwords can be just fine to protect a document or folder.

For enterprises, passwords can be bothersome. Imagine the case of Peter, who works at a large company. He has a login for his workstation and email account, access to a dozen intranet applications, and one or more folders on the company network storage drives.  Peter is required to change his passwords every six months. Each application has slightly different rules about what makes a strong enough password, but in general new passwords have a minimum and maximum length, must include characters from certain classes, cannot be based on any English word, and cannot be reset to any one of the last 10 passwords.

Oh, and Peter isn't allowed to write any of them down.

How many millions of people have suffered like Peter?

I have a solution in mind involving public key cryptography and existing infrastructure (PKI) for issuing and validating certificates.

PKI authentication is not new. Apache Httpd has supported client-side certificates for years, and there is a variety of desktop applications that support PKI.  But, it's no surprise that most of the world still uses passwords and not PKI.

There are reasons why passwords are still the dominant authentication method in use today.

One of the major reasons is cost. It's just too expensive to deploy a PKI authentication system. There are many companies ready to take a lot of your money to help you deploy PKI in your organization. If you think you can do it yourself, and you've read some Alice and Bob tutorials, beware of what you don't know. How do you choose which encryption algorithms you want to support? Will there be any real-world issues that the 5-minute tutorial on setting up a certificate authority didn't cover? What are your mistakes going to cost you? For PKI, you definitely need expert help, and it's expensive.

Another major reason is education. Your end-users don't know anything about PKI.  Your IT staff might not know so much either.  They know that personal passwords are easy and corporate passwords are troublesome.  They don't really care for the beautiful design of PKI or have any interest in using the tools to manage their credentials.  They just want to exercise their access and do their job.  Since there's a lot to learn about PKI in order to become a competent user, education is definitely an obstacle.

I intend to make certificate-based authentication easy enough for more enterprises to actually want to do it and enjoy the benefits.   Anyone interested is welcome to send me an email.