So how does this play on the title of a great 1989 Neil Young song have relevance to computer software and IT security?

The continuing news about the attack against RSA Security is still generating interest and articles.  The continuing discourse on what may or may not happened and how to mitigate against that threat vector is all good since it is raising awareness to help prevent future attacks.  But this discourse is also missing something.

Even if RSA had not been attacked, the reality in 2011 is that a single-function proprietary hardware authentication token is an anachronism in today's modern distributed mobile IT environment.

The two-factor authentication market emerged in the days of remote dial-up access-kind of hard to believe that is how we accessed networks but in the 1990s dial-up was the norm not the exception.  In the dial-up model, hardware tokens were an excellent choice-low bandwidth and low latency.  This was before smart phones and iPods, so users did not mind carrying a separate hardware token.

Fast forward to today's mobile, distributed world and hardware tokens are just not practical - who wants to carry a token around with them alongside their smart phone, iPad and laptop?

This brings me back to my blog title.  If you look at how the IT industry has evolved over the decades, proprietary closed hardware-centric architectures generally lose out over time to open software-centric architectures.  This explains the rise of companies like Microsoft and Google and the demise of others like Digital Equipment.

Irrespective of the recent RSA attack, organizations should start assessing whether single-function hardware tokens still make sense, not just from a security standpoint but in terms of what is more convenient for end-users. An open software based authentication solution that can run on existing mobile platforms is a compelling alternative to hardware tokens.   And while hardware tokens used to tout their "zero footprint" deployment model, deploying software in distributed environments is something that has improved dramatically in the last decade.

If software-based authentication solutions offer comparable security and are easier to use, why not go the software route vs. staying with the dial-up days of hardware tokens?