One of the biggest problems with passwords is that secure ones seem hard to remember, need to be changed often, and should be phrases with numbers and symbols instead of just single words that can be found in a dictionary. Many organizations have a culture where the IT department has been instructed to allow users to keep insecure passwords. Rather than fight this battle, consider using two factor authentication: something the user has plus something they know. For example, www.phonefactor.net uses
an out-of-band signaling strategy for users when they log in. The user enters a username and password (something they know), and then your system calls their phone (something they have) to have them enter a pin. That way, for someone to impersonate a user, they would have to know the user’s username and password, and also have the user’s mobile phone. This is a very economical way to increase password strength – especially if your organization’s culture dictates using simple passwords.
Other options include having the users carry secure USB tokens that plug into their computer much the way a user would start their car with a car key. Examples include www.aladdin.com/etoken and www.everythingusb.com/guard_id_vault.html.
Additionally you could choose to use a RSA SecurID www.rsasecurity.com device, a biometric fingerprint reader, or SmartCard two factor authentication device.
Another interesting product is the iTag from www.encentuate.com that lets you stick a tag on whatever your users carry with them now. An id badge, their mobile phone, etc. This product provides single sign-on features many organizations crave. For example, single sign-on allows users to log into more than one operating system in just one step.