No, you didn't pick up a magazine from the IT department by mistake. Physical security has an opportunity to help solve the problems caused by using passwords to log into computers. Not your job? Well, in this new converged world, I beg to differ.

For years, we have been talking about one-card solutions, the use of a single card to not only control access to buildings but also to log onto computers. It is one of the first examples of convergence that most people talk about. In fact, the federal government's FIPS-201 program is the world's largest convergence project and focuses on the benefits of such a one-card solution. “In the IT industry, there has been a growing awareness that security is really around people; knowing who that user is, what he is allowed to do, verifying his identity, granting access to physical or logical assets, and then auditing that access,” says David Ting, CTO of Imprivata Inc., a provider of logon solutions. In the commercial sector, however, passwords are still king – with most companies relying on them exclusively for computer access. To understand why, let's take a deeper dive into the problem itself, and why the solution could impact the access control cards you have today.

The problem with passwords

Passwords are a simple means of authenticating computer users, but they have two evil sides. First, they are not very secure. The average person today has several user name/password combinations to remember; many people have dozens. In that environment, most reasonable people either write the passwords down, use simple, easy-to-remember passwords, use the same password for all systems, or all three. None of this is good news from a security point of view. In fact, in many offices, password security is not taken seriously at all. A study by Infosecurity Europe in 2004 reveals that 40 percent of surveyed office workers knew the log-in passwords of a colleague. Because of the ever-increasing tendency to use laptops offsite over unsecured links such as in hotels, the increasing availability of “keystroke loggers” to capture passwords without your knowledge, as well as allowing partner companies to log in to your business systems, passwords are just not enough anymore.