Hardly a day seems to go by at the moment without a new story relating to online systems security, with password based vulnerabilities featuring heavily in the mix.

Online recruitment software providers seem to be particularly vulnerable with news in the past few days that Elance, the big IT job board in the US has suffered a major breach, resulting in the details for 000's of users being compromised http://www.channelregister.co.uk/2009/07/20/elance_contacts_hack/ This follows on from several other notable hacks including Monster and Jobsite in recent times.

Elance have issued a statement that 'Password security and complexity requirements have been improved'.. which rather begs the question why weren't complex passwords mandatory in the first place?

The answer of course (as is so often the case with datasecurity) is convenience... the average online user today is faced with having to remember dozens of passwords (I totted up myself how many I use on a regular basis just this week and it was in excess of 20.. I don't think that's exceptional).. which most of us would struggle with were all of the providers to insist on strong, complex passwords that varied from site to site...  From an online recruitment system provider's perspective (JobBoards in particular),  they understandably see anything that adds complexity as a barrier to use and in a competitive market, barriers are the last thing they need..

Ultimately though, this is the weakness with username/ password based approaches... you can implement them well.. but the tradeoff is hassle and complexity for the users.. who then find other ways to 'manage' the complexity (usually involving post-it notes and monitors in my experience!).

Right from the outset with evolve, we understood this fundamental problem and designed our systems from the ground up to use a 2-factor system (something you have - a hardware USB key with a unique digital ID and something only you know - a password you set).. the beauty of this approach is that because the key is essentially un-copyable and is protected by a system that locks it out if you get the password wrong on 3 consecutive attempts, you can then afford to have an easy to remember password which in turn then gives you full access to all of the online services you are subscribed to (evolve, OutlookSync, Ensure, Data Exports, Flow etc) in one go.

With evolve V5, we've also included the option for Session Single Sign-on, which basically means that in a given day you can signon just once for all services, rather than once for each..

And because the system operates at a protocol rather than application layer (it makes use of an extension to the SSL protocol to verify your identity using digital certificates), it’s inherently much more secure than even the very best username/ password system is ever likely to be!

Having said all of this of course, I wouldn't want to ever suggest that we are relaxed about security because of this.. Securing online systems effectively requires multi-layered approach and there are many other protections in place to make sure we have every vector covered.. 

At the same time, certainly in so far as our users are concerned, the 2-factor signon system we have is both convenient and secure... jobboards take note (we have very reasonable consulting rates ;-) )