'Simplify' Clue Guiding the Password Game

It's debatable whether consumers feel overwhelmed by the number of passwords that protect their financial accounts and e-commerce dealings. Most people use pretty much the same password for everything, even though they know they're not supposed to.

As more of us do more business online - and certainly banks are not the only ones encouraging this - password overload could turn into a pronounced problem.

Most banks have found it a challenge to create universal passwords across their homegrown systems, and most banks are not securing customers' passwords with industrial-strength measures, such as digital signatures and public key infrastructure (PKI) encryption.

According to Ravi Ganesan, chief executive officer of a technology company that has set out to mop up this problem, PKI was invented 25 years ago, products have been on the market for a dozen years, but, for various reasons - many of them linked to the failure so far of smart cards, which could hold private keys - banks have not been able to take advantage of available technology to solve their security woes. If PKI "had taken off, you wouldn't be living in password hell," Mr. Ganesan said.

His company, SingleSignOn.Net, is selling a system - and an appliance that goes with it - that lets banks and their partners (such as Web retailers or affiliated financial services companies) let customers choose a single password that works across all channels and Web sites, and that is - or could be, if the institutions wanted it - secured by PKI and digital signatures.

"We set out to build a usable PKI product," said Mr. Ganesan, who joined SingleSignOn in February from CheckFree Corp. of Atlanta, where he had been vice chairman.

SingleSignOn, which has about 30 employees and a headquarters in Reston, Va., was incorporated in 1998, but its "official launch" took place in April at the RSA Conference 2001 in San Francisco. Mr. Ganesan said his company, which licenses its technology patents from Verizon Communications under exclusive deals, is conducting six "serious pilots," including two at banks and one at a credit card company.

"A bank usually doesn't have a dozen cryptographers on its staff," nor the budget to build separate security architectures for all customer channels, Mr. Ganesan said. "You want password-based PKI," he said. With his firm's system, "you buy one infrastructure once, and use the same infrastructure for all channels." The company calls this "practical PKI."

Avivah Litan was impressed enough with the company's product and pedigree that she recently left her job as an analyst at Gartner to become chief marketing officer at SingleSignOn. "You can use PKI just by putting a password in; that's the big issue here," she said. "You don't need smart cards. Consumers don't want to understand the whole thing, they just want a user ID and a password.

"This is also a plain old user ID/password system, if banks don't want to activate the PKI aspects," she said. "It takes an hour to set up, as opposed to eight to nine months."

Mr. Ganesan, a cryptographer who spent seven years at Bell Atlantic before joining CheckFree, warned that companies are going to be increasingly liable for the soundness of their Web security systems.

"It would be nice to have digital signatures on [online] stock trades," Mr. Ganesan said. "Demand is not missing."

For reprint and licensing requests for this article, click here.
MORE FROM AMERICAN BANKER