“Better authentication methods can come along any day now… I’m ready…”
That is something I said this morning while working on my work laptop. We recently were required to add whole machine encryption which meant adding yet another password and remembering yet another ID/Password combination. When I loaded the encryption software two things irked me… The first was that I had yet another ID/Password combination to worry about and second that the local recovery mechanism was three silly questions most of which based on information that can change[1]…
Now when I fire up my laptop for work I have to enter a whole disk encryption userid / password. It is my main corporate ID in UPN/email format but a whole other password that must be six numeric digits[2]. Then I get my main logon screen which is my main ID in SAM format (I could use UPN here if I chose as well), but with my password from the corporate forest. Then I get my desktop and Office Communicator fires up and for some reason, more times than not, it asks me to enter my password as well. So again I enter my corporate password. Then up comes MSN for when Office Communicator isn’t working (all too often unfortunately)… So I enter that entirely different userid and password. Then I fire up Outlook and get to enter passwords for the PST files (yes that is my choice). So now that is the first 2 minutes of the work day…
Now let’s say I need to connect to different customer environments… We have three different shared environments that I can connect to that house many of our customers. One uses my corporate userid name but not the corporate password. One uses a whole other userid (a second corporate userid since we went through a merger with another company) and password. And the last uses two factor auth so I have to enter my secondary corporate userid with a PIN I know and a passcode from an RSA Token. Now this is only for some accounts. Other accounts have their own IDs and passwords. So say I need to get into the account I spent most of last year on, I go to their Reverse Proxy Web Site and enter my main userid and password from their corporate directory, then to connect to a server I use one of my six Admin IDs I have for that environment. Next if I connect to another large customer that I have been handling various questions for a W2K8 migration I enter a userid with a smartcard (different from the RSA token) temporary password to get into the firewalled section that is set aside for that customer, and then another userid/password to get onto the Citrix system that allows me to work on that network. If I want to connect to their lab environment, even more userids and passwords… If happen to have yet another RSA token and set of userids to connect to another largish customer I used to work on as well. I have to actually label my RSA tokens by which company the token is for. That alone is a pain, how come I can’t at least use one token/smart card for all of the companies?
This doesn’t at all go into the stuff I have for my personal world… Access to Microsoft Source Code is another smart card/password. Microsoft Private News Groups. Hotmail email account. My joeware email accounts. Admin IDs for each of my test forests for playing with AD. Home Depot account, six or seven credit card accounts, eBay, Amazon, my website and blog, 401k, health insurance, stock benefits site, Craig’s List, Code Gear Developer Account so my IDE can log into Code Gear. Admin IDs for each of the PCs I have my house, both servers, and clients. Voice mail for work phone, personal mobile phone. Key code lock on my front door to my house. Hmm what else, iTunes/App Store, all the various apps on the iPhone, etc etc etc yadda yadda yadda blah blah blah…
At this point I am getting confused just trying to maintain in my head which userid/password/token/smartcard combinations are used at which points; especially when you have one userid string blah@corp.com that is used in five different locations with five different passwords. I’m ready for authentication that just takes a look at me and says… well you look a little rough because you didn’t comb your hair this morning and are still wearing your pajamas but I recognize you as joe and will let you onto the system… And since I am actually looking at you, all of the other systems will trust that I know what I am talking about and allow you in too or I can just pass on the live video feed to them if they want to validate you… At this point the only thing I tend to have in common across multiple systems is the same answers to the recovery questions… While my userid/password isn’t likely to be consistent across systems, my mother’s maiden name probably is… It reminds me of something a good friend of mine at MSFT has said multiple times in my presence when talking about Identity… SK (for short) would say something like… You know, I don’t log into my 401k (I think it was 401k, maybe it was health benefits site or maybe it was both…) very much so I always forget my password and so then I always use the self password reset system for the web site which asks me questions[3]… Those questions might as well be my password.
Federation and Info Card is getting bigger and bigger but even if it took all my web based auth and put it into a single auth system I would still have too much to recall and deal with.
Anyway, no answers here for this issue… just venting. Oh and I would like to see an end to the sub-zero degree Fahrenheit wind chill temperatures as well while I am at it. 🙂
joe
[1] I.E. What is/was your favorite this or that or what was the date of this or that event. For example, I have never had a honeymoon but one of the questions was, when was the date for that? Now I would put none, but a year or two from now that could have a different answer and if I needed to recover I would have to recall when I filled out the recovery info… I am in the recovery console because I can’t even recall a password I use every day… I also hate when companies use things like favorite food or favorite movie or even favorite teacher, who says those things won’t change?
[2] Seriously… WTF. No more, no less than six numbers…
[3] Those questions are probably less secure than the password that isn’t being remembered…
“Secret” questions….grrrr
Heaven forbid someone finds out your honeymoon date, your mother’s maiden name, and your favorite color, because they just became you and have access to all your accounts.
As big a pain as passwords are, at least they’re not often available in public records or easily guessable. How many colors, dog names, or sports teams are there?
Amen. My favorite, for two reasons, is: “last name of your best friend.”
[1] What is this, high school? I don’t tend to think of my friends in that way anymore.
[2] Again with the problem of static information, if I -did- think of my friends that way, who’s to say that won’t change over a period of years.
[3] At one point when I more or less -had- to use that question, I typed in the answer, and the web form slapped back “We’re sorry, the answer to your secret question must have at least six letters.” It’s her NAME! It’s 5 letters LONG! What do you WANT from me?!? 🙂