Despite the authentication effort's shortcomings, none of yesterday's speakers suggested abandoning it, because it is seen as an essential building block for other solutions.
But the forum demonstrated in stark terms the depth and complexity of the problem.
Any e-mail authentication system, for example, would check that the block of Internet addresses assigned to an e-mail provider includes the specific numeric address of a sender of a piece of e-mail.
Thus, a red flag would go up if a message seeming to come from email@example.com is actually not coming from a computer that uses the xyz-123.net mail service.
But Scott Chasin, chief technology officer of e-mail security firm MX Logic Inc., said the underlying Internet system that houses the necessary data is insecure and can be tricked by hackers. Chasin said the problem has been known for 10 years, but industry and Internet standard-setters have been unable or unwilling to fix the problem by encrypting the data.
Getting agreement on an authentication system has been similarly difficult and is partly why the FTC held the summit.
The major e-mail providers, America Online Inc., Microsoft Corp., Yahoo Inc. and EarthLink Inc., are still testing and pushing various plans. The Internet group assigned to endorse a standard disbanded recently, unable to resolve discord and uncertainty over whether licensing rights asserted by Microsoft would cut out a broad swath of organizations that use so-called open-source software.
Chasin and other panelists also said the basic operating systems that power computers -- the most dominant of which is Microsoft Windows -- remain too vulnerable to hackers.
He said a worm was recently discovered that lodges itself in Windows files and goes to work when a computer user tries to access the Web site of his or her bank. The malicious code automatically redirects the Web browser to a fake page that looks like the real thing.
In this scenario, the user has not been duped by a fake phishing e-mail. Instead, the vulnerability in the operating system has allowed the code to redirect the user's browser to a phony page where a hacker can capture the user's name and password.
Still, panelists insisted authentication is a vital first step. After that, they said, could come a system that evaluates the "reputation" of senders, perhaps using a process that marks good e-mail with an electronic seal of approval.