Why may Bob be wrong

Bob Blakeley, one of my favorite bloggers, recently blogged about the evil nature of passwords:

Static passwords are an unacceptable hazard, good alternatives exist, we should get rid of static passwords in favor of those alternatives, and we should do it fast.

He also issued a call for action:

I believe that this community should commit itself to achieving the goal, before this decade is out, of providing every computer user with a strong authentication device and the infrastructure required for its universal acceptance.

While I can understand Bob's motives, I'm afraid that he is too optimistic and maybe even partially wrong. I think we just can't get rid of passwords. Not in a soon future. The reason is quite simple, but the explanation is quite long. Here it goes:
(for all of you impatient readers, you may skip directly to the point)

It is a common knowledge that we have three types of authentication:

Another (but not-so-common) knowlege is, that just one type of authentication is not enough. Why?

Using only one type of authentication is a risk. It does not matter much which one you choose. The first one (passwords) is the most frequently used in digital world and hence the attacks agains it are the most advanced. But who can tell that the other two are more secure? We did not tried that on the same scale, yet.

So called "two-factor" authentication can address the vulnerability of single authentication mechanism. You just have to use two types of authentication to lower the risk of breaking one of them. For example combine tokens and PINs or biometrics and passwords. Now, you have three different combinations of two-factor authentication mechanisms, and only one does not involve passwords: tokens + biometrics. And how would we implement that? Putting fingerprint reader in your notebook does not help much. As Bob correctly said: the workstation is not secure. And even if it was, fingerprint authentication is not. And I can't really imagine portable token with DNA analyzer being affordable anytime soon. And I don't even dare to think about consumer acceptance.

Well, what we have left? Tokens + passwords and biometrics + passwords. I will not ponder about the feasibility of these in detail. All we need to know is that they both involve passwords. May they be in form of PIN, passphrase or whistled-morse-code-signal, these are still passwords.

(There is another issue while using tokens for authentication, and that is the number of tokens needed in day-to-day business. Just recall how many keys are on your keyring. Why do you think that you will not have that many tokens? But more about this later. Maybe.)

One way or another, we cannot get rid of passwords anytime soon. But the one thing that we can change is the way how we use and manage them. First of all we need to get rid of one-factor password-only authentication for all important transactions. We should use two-factor authentication instead. And make sure that we enter our passwords into secure devices, not into our workstations. We shoule have the secure device do the "strong" authentication, not your notebook.

We have to assume realistic goals. We cannot get rid of passwords, but we can change the way that we use them. This should be the goal of the decade.