Sadly, passwords are the least common denominator. The biggest problems with 2 factor devices (smart cards, OTPs, etc) is having to buy, configure, and distribute them; plus get them to work with all the myriad of applications. Certificates that are issued to computers/web browsers suffer from a lack of portability (i.e. by design, the user shouldn't be able to export and share the certificate with anyone they want). Plus with any solution using certificates (client or smart card) a substantial reconfiguration is required to support websites/applications being able to process certificate logons. IMHO, even though OTPs are the less secure of the two types of two-factor products, I see them growing faster than any other method. From an end-user perspective, they are small/portable, don't require a reader, and don't require any special OS, web browser, or software. For an infrastructure perspective, it is easier to convert a website to support OTPs (simply change the function that runs the password validation; instead of having to install and configure a special module/component that would handle the mutual auth required by certificates). Also, many of the OTP vendors are working on making their products function more easily cross platform (while with smart cards, you are basically stuck with either the Microsoft's corporate/non-service provider friendly solution, or have to code your own). My $0.02, Adam Stasiniewicz -----Original Message----- From: Sean Donelan [mailto:sean@donelan.com] Sent: Friday, November 20, 2009 5:43 PM To: nanog@nanog.org Subject: Smartcard and non-password methods (was Re: Password repository) Are any network providers supporting smartcards or other non-password based authentication methods? Passwords always end up blaming the user for choosing/not remembering good passwords instead of blaming the technology for choosing/not doing things so the user isn't forced to work around its flaws. I know about the DOD Common Access Card. One-time code-generator tokens seem more widely used by single enterprises. But inter-operable credentials still seem to be one of those great unsolved problems for compter security. Are passwords still the only lowest-common-denominator?