It's important that any alternative simplifies authentication. Companies and agencies don't expect their employees to configure firewalls or actively manage encryption on their laptops; security controls have become increasingly automated over the last few years. But amidst these improvements, there's one item that continues to get pushed down to customers and end-users: The burden of creating and managing dozens of different passwords to access all of their accounts.
Study after study has shown that this is not a particular enjoyable activity for most Americans, nor is it one that they are particularly good at. Passwords such as "123456" and "Password1" are commonly used across sites; one study showed that most Americans would rather perform unpleasant household chores than deal with the burden of creating and then remembering a complex password. And even when so-called "strong" passwords are required, they are still vulnerable to phishing attacks, key-loggers and other compromises.
The good news is that industry is in the midst of a wave of innovation, with dozens of entrepreneurs coming up with new approaches to deliver strong authentication. This innovation is being spurred by the near-ubiquity of mobile devices that contain biometric sensors and embedded security hardware, creating new ways to deliver strong authentication – in many ways, with models that are both more secure and easier for the end-user, relative to "first generation" authentication technologies.
The existence of new technology can't solve the problem alone, however. Technology needs to be supported by standards that can ensure interoperability of solutions and lower the cost of deployment. And when technology such as biometrics is used, it needs to be architected to protect privacy and security, rather than put it at risk.
The government can't create the solution, but it has an important role to play in incenting and catalyzing its adoption. Government can leverage its role in setting guidance for – and sometimes regulating -- critical infrastructure by placing a greater emphasis on the use of strong authentication, as well as ensuring that its use is ubiquitous across government. Part of that focus should be on upgrading citizen-facing websites and applications that make personal data available, ensuring that they support strong authentication. I'm also encouraged by the new "Lock Down Your Login" campaign that the White House launched this month in partnership with the National Cyber Security Alliance, focused on educating all Americans about the need to use strong authentication and providing them with toolkits on how to upgrade their most vulnerable accounts.
Passwords are a problem—but by making their replacement a national priority, the government can help rally both industry and agencies to adopt stronger solutions that make password-driven breaches a thing of the past.
Commentary by Michael Chertoff who served as secretary of homeland security from 2005 to 2009. He is currently co-founder and executive director of The Chertoff Group, a security- and risk-management advisory firm. Follow the company on Twitter @ChertoffGroup.