Will Software Authentication Survive?

I have been thinking about the possibility of software authentication tokens for a while. There are a few movements in the industry to make hardware authentication easier to use and deploy, but there certainly are many cases where software tokens are preferred or required.

The first question is whether it is possible to have software tokens that are cryptographically strong. That means having a way to protect secret keys or seeds in software without the risk of being stolen. There have been attempts for this offering in the past, for sure -- the most used today are Arcot IDs offered by CA. These methods have been in commercial use for many years and have proved to be strong against any attacks.

The second issue is whether there are reasons for software authentication -- and the answer here is obvious given the availability of hardware authentication is still quite limited and will take a long time for the market to be there. Many of the financial (and other) sites today use mobile phones as a second factor for authentication. The use of strong cryptography there with a software one-time password will provide a very strong second factor that does not need secure hardware.

My prediction: Software second-factor authentication technologies will be here for a long time -- perhaps for the very long-term.

Recognized in the industry as the "inventor of SSL," Dr. Taher Elgamal led the SSL efforts at Netscape. He also wrote the SSL patent and promoted SSL as the Internet security standard within standard committees and the industry. Dr. Elgamal invented several industry and government standards in data security and digital signatures area, including the DSS government standard for digital signatures. He holds a Ph.D. and M.S. in Computer Science from Stanford University.