Passwords, hardware tokens, software tokens, public key certificates, one-time key pads, virtual keypads, fingerprints, retinal scans, facial recognition, question and answer systems, picture selections, public records data base hint systems…and the list goes on and on.  These are all methods for authentication, and apparently these are not enough.  There is always “yet another authentication mechanism” (YAAM) being introduced.  And, every time a YAAM appears, it is introduced with a rationale that is some combination of:

• less expensive
• easier to deploy
• simpler (and therefore more effective)
• better scalability

Two of the most recent YAAMs are Vidoop and Passfaces.  Both are variations on the theme of picture selection and recognition instead of password entry.  And, both are pretty clever.

However, every time a new YAAM emerges, we seem to be a little more confused than we were before.  This is especially true whenever the YAAM looks like other methods that are already being used.  There are the inevitable questions: How much better? What else has to change? How do existing methods compare? But the issues around authentication run much deeper than the typical tradeoff studies.

Without an identity strategy that defines what subjects are, what the set of identity claims includes, how far the span of the identity extends, and which authorities give meaning to the identity, worrying about authentication is premature.  Authentication is important, but no type of authentication can fix shortfalls in foundations of identity.  (Incidentally, even picture-based authentication can fail.  See article.)

So, before you invest too much effort pondering the selection of an authentication mechanism, first review the foundations of your identity infrastructure.  After that, the YAAMs are waiting!