Passwords Suck.
We need some accurate way of proving identity without using passwords for everything. Passwords are a lousy way to prove identity and a lousy way to access computer information and Web sites. For publications -- The Wall Street Journal, for example -- selling a subscription service, a password does little more than limit people from entering the site. It can easily be shared by dozens of users or stolen and used by half the country. And people trying to protect personal information with passwords know the ease with which a password can be stolen or discovered. Worse, most people tend to use a limited number of passwords over and over, thus compromising all duplicates if one is discovered.
Discovering a password is fairly easy, given that the most popular password is "password" followed closely by other obvious choices such as names or birthdays. The answer to all this is the complete replacement of the password system with biometrics. This would happen overnight if Microsoft would get on the stick and incorporate support for biometric devices in its operating systems. Perhaps its time for a BAPI-biometric application program interface. The company has done this kind of interface for everything else. This should be followed by Microsoft selling a fingerprint reader and incorporating one into mice. Logitech would follow suit and we'd be well on the way to the fingerprint-reading mouse becoming a standard input device. We've seen such devices at the last two Comdex shows, but nothing from the big boys.
Random Computing.
Currently the problem with almost all the biometric devices is their lack of portability. It's not that you can't move them, but you have to move and install any individual device on every remote computer you use. There is no universal device. The current trend in computing is toward what I like to call random computing, meaning the use of whatever random computer is convenient to do your work. For example, I use Visto to keep my calendar and address book online. Visto works by sucking the data off my Palm Desktop (the program works with Outlook, too) and transferring the data onto the Web. So if I happen to forget my Palm or Handspring PDA, I can just log onto the Web and pull down what I need using any computer with Web access. This kind of computer usage cannot rely on a biometric device for my Visto password simply because none of the random computers will have the same device attached. In fact you never see a biometric device attached to anything except perhaps at the Pentagon. Microsoft can change all this.
Of course, the longer Microsoft waits to incorporate a biometric system into the OS, the longer complete market penetration will take. And the turnover in new computers seems to be slowing, which would make for a longer process -- perhaps as long as five years. Microsoft should note that this is going to happen one way or another, and the sooner the better.
During the DOS age, a new OS would be released when new devices that needed support appeared on the market. Since the advent of Windows, new devices are mostly incorporated on a piecemeal basis by the various vendors who provide .INF and other needed files to make the product work. This makes the OS more versatile, but also out of control. Every so often Microsoft promotes a technology, as the company has done with some Internet telephony standards. In the case of biometrics, the time has come for Microsoft to step forward.
Big Brother Is Watching.
Having said all this I should mention what I consider the downside of biometrics. First of all, sharing of passwords is not necessarily a bad thing. There are plenty of situations where a password is passed around -- so a lot of people can look at a specific site, for example. Also, there are instances where you want to log on anonymously and biometrics simply does not allow for anonymity.
The anonymity conundrum will have to be addressed in the future, somehow, if the problem can be addressed at all. Biometrics experts talk about a "universal biometric infrastructure" with convincing arguments to promote the concept. This involves various biometric devices, including whole-body scanners, that can identify you in, say, a grocery store which would then simply send you a bill for whatever you buy without your ever having to show your purchases to a checker. Identity theft would be a thing of the past with any sort of biometric infrastructure in place. But how many of us want to be followed around by a sensor grid everywhere we go? "Why is John spending so much time looking in the window of that store?" Although much of our daily activity can be surmised and largely recreated using credit card and phone data already, does anyone want to be tracked any more closely?
I'm always reminded, when I get into such a topic, of something a high school teacher ranted about when I was younger. She said that the Blacks of South Africa had no freedom and had to have identity cards just to move around the country. I always think of her when asked to produce a driver's license or credit card by a shop assistant, or when I'm asked my social security number by someone who has no business asking, but will not approve something unless I give the information. Biometrics takes the shop assistant out of the picture and perhaps makes things easier, but at what cost to liberty? There is no doubt that a biometric infrastructure lies in wait, so I'm sure we'll discover the answer sooner than later. And sooner would be better than later while we have some backbone left.
