While flying cars, human transporters and robots that clean your house remain a long way off, palm-scans to get into buildings, fingertip readings to log on to a computer, and voice-recognition applications as a form of identification are already here.Authentication technologies - those that verify that individuals are who they say they are - are starting to advance to near science-fiction levels, turning remote workplaces from Dragnet into Minority Report.
Well, almost.
Widespread adoption of authentication technologies is still far in the future within the accounting profession.
From keychain devices that continually generate new passwords, to fingerprint scanners on laptops, people are leaning toward opportunities to secure their data even further. But the limitations surrounding the technologies are keeping even some of the most tech-savvy accountants from running out to buy the devices and programs.
Susan Bradley is an example of a tech-savvy CPA: a CITP, a Microsoft Small Business Server MVP and holder of the GIAC Security Essentials Certification security credential. Yet even Bradley, a partner at the Fresno, Calif.-based firm of Tamiyasu, Smith, Horn & Braun, does not use two-factor authentication - two methods of identity verification. As an example of the two-step process, a cash machine would require both an ATM card and a PIN number.
"We're just using passwords, not with two-factor authentication, mainly because the tools and applications are not supporting it yet for small businesses," said Bradley. "Don't get me wrong - we're asking about it. We're looking at tokens over biometrics right now."
Tokens, or fobs, are relatively new devices that can hook onto a keychain and have a small screen that generates a new password every minute of every day. The major distributor of this technology, RSA Security Inc., has started implementing fob systems at Stonebridge Bank, a community bank near Philadelphia; at Allentown, Pa.-based American Bank; and at online securities concern E-Trade Financial.
"People didn't have card readers on their remote computers, so we created these fobs," said John Masotta, senior product marketing manager for RSA. "Users don't need software on their desktops, they just need a fob and where they are going to have access to their network. It's easy for the company to put it on the network server. You just have to put it on the back-up system, in front of what you are trying to protect."
Major banks, such as Citibank, JPMorgan and Washington Mutual, have no plans to implement any fobs or added authentication technologies just yet. Bank of America has implemented Sitekey authentication, a system that shows users pictures that they have picked to be displayed every time they enter the Web site. This is, however, an authentication process for the bank, not the user. If the pictures are not at the site, presumably the user is not at an official Bank of America site, but has instead entered into a hacker's ploy to gain access to the user's bank account.
Some major drawbacks still surround authenticating tokens, however. They are easy to lose or forget at home, and at $20 to $30 per token, the cost is high for small and midsized firms.
One way that RSA is looking to dash the drawbacks is to partner with cell phone providers, PC makers and others in the tech hardware industry to embed their fob software.
Another way to sidestep remembering multiple passwords is to purchase a USB flash stick.
Ken Quirk, CITP, CPA, partner and co-owner of CPA firm Quirk & Associates, in Lake Charles, La., keeps all his passwords locked up on his USB flash stick so he doesn't have to remember all of them on his own and doesn't have to write them down.
"The thing about passwords is that there are so many, you can't remember them all," said Quirk. "I have to keep them on my thumbnail drive and then I secure that with a password."
One thing about passwords, claims Richard Oppenheim, CPA, CITP and owner of the Oppenheim Business Group, a business and technology consulting group in the Denver area, is that people do not use them enough, and when they do, they use birthdays or street names - things that are very easy to guess.
But do longer passwords really mean more security? Peter Tippett, chief technology officer at Herndon, Va.-based CyberTrust, a company that tests and implements authentication technologies, said that having these extraordinarily long passwords that are impossible to guess and hard to remember is usually unnecessary
"There's a fallacy in having longer passwords," said Tippett. "If you have more than five characters to your password, you have 10 million choices - they are not going to guess it with just a keyboard. A hacker has to get your password from a computer program, while you are on your computer. If they hacked you to get the password, then they already got you."
Some would like to get rid of passwords altogether. And for those people, biometric authentication technologies are appealing. Biometrics use physical characteristics such as voice, fingerprints, eyes or palm veins to determine who the user is and whether to grant or deny access.
Hewlett-Packard and Lenovo - the company that acquired IBM's notebook division in 2004 - each have notebooks available with fingerprint recognition scanners that take the place of Windows user names and passwords. This year, HP extended its offerings in biometrics recognition by putting a fingerprint scanner on its iPaq Pocket PC h5500 Series personal digital assistants.
But even the developers will admit that the technology is still not perfect.
"It's not an exact science - it's actually a variable with some user control over it. Users are able to make a tradeoff," said Matthew Wagner, senior manager of security and wireless marketing at HP. "There's always a probability that it is incorrect, where the user is not able to gain access or a false user gains access."
Wagner added that a user can decrease these chances of false IDs or inability to access one's own files by increasing the number of scans needed to enter into the operating system. Once in the operating system, a user can take advantage of HP's fingerprint scanner to enter into anywhere that asks for a user name and password by setting the fingerprint recognition as a substitute for all the passwords and user names they have.
"Fingerprints have a lot of promise," said Clain Anderson, director of wireless and security solutions at Lenovo. "Most people don't like retinal scans because they are too invasive - they actually go into your eye. Iris scanning can be done with a simple camera. That could be a real possibility, but the fingerprint scanner is no added weight or size difference."
CyberTrust's Tippett explained that most CPAs in small and midsized firms are not going to need much beyond the encryption that a Microsoft XP Pro operating system offers, and a user name and password.
However, CPAs like Quirk are still very concerned with creating further security at their offices and in their networks.
"I went to my Event Viewer on my Microsoft Server 2003, and saw some people had been scanning me, some people from Ireland, I think," said Quirk. "They tried, several attempts, to get into a restricted area from our Web site. I looked up their ISP addresses and reported them."
