France wants to do away with passwords

There have been so many news stories recently regarding passwords being compromised that the French government has come up with a plan to completely scrap them. How do they plan to accomplish this? Their answer is digital certificates.

Instead of passwords, people will use a digital certificate. The certificate will be in a USB key, SIM card or a smart card. It will also have functionality to automatically fill in web forms with information such as your address, name, etc. A bunch of web sites have been signed up for the trial and include organizations such as the French Banking Federation and La Poste.

The moment USB key or some such device is mentioned, the question that comes to mind is “What if the device is lost/stolen?”. The have an answer to that too. The device will use a password. Did I just say password? Isn’t the whole idea supposed to do away with passwords? Well, think of this as the automatic login feature in Firefox or the KeePass program. You have a master password that will unlock the deviceand then the device will supply the form information or login credentials (certificate).

Now, I do not have too many details, but what if the master password is easily guessed? Well, you will have a whole bunch of websites that the hacker can get into using that certificate/device. Remember that the list of sites that accept this authentication method will surely be published. Every website that accepts this will want to advertise the fact.

Maybe it will make the internet a more secure place or maybe it will make the hacker’s job easier!