David Kearns post on password management has generated some conversation. Mark Dixon posed the question:The big question is, "Replace username/password with what?"
One response from Jeff Bohren has me a bit unsettled. Jeff proposes certificates and possibly information cards but discards biometrics by saying.
"Biometrics is a hot area of research now. It seems every week some new breakthrough in earlobe recognition or some other phrenological magic is announced. But as of yet there are just too many problems with biometrics to displace passwords."
Any debate around displacing username/password combination has to include application of biometrics. I think because it is a relatively poorly understood technology it tends not to get airtime. Biometrics is not some creepy science thing only used by the FBI to catch criminals. A biometric, any type, is just a mathematical representation of a physical characteristic. That mathematical representation is nothing more than a very, very long and strong password that you do not have to remember. You ARE the password. And it has the side benefit of being linked to its owner so it isn’t easily stolen.
In this case the only thing standing in the way of using a biometric password in place of a traditional password is the cost – cost of the “input device” and cost of the technology to match the “password” computed from the input device to the “password” stored elsewhere. A keyboard is the input device for a traditional password and standard issue with any computer. A biometric reader is the input device to get a biometric password and not yet standard issue on everything (some laptops yes). How are you going to carry your certificate around or store your info card? A smart card? Your smart phone? A USB key fob? Those are costly input devices too and you have no guarantee the right person is the one using it.
There can be issues with the matching (not authenticating when you should have) but as I have blogged about before you can manage through those issues. Besides how many times do you mistype your strong password and have to enter it again? Probably way more times than when you should authenticate but didn’t using your biometric.
In this case the only thing standing in the way of using a biometric password in place of a traditional password is the cost – cost of the “input device” and cost of the technology to match the “password” computed from the input device to the “password” stored elsewhere. A keyboard is the input device for a traditional password and standard issue with any computer. A biometric reader is the input device to get a biometric password and not yet standard issue on everything (some laptops yes). How are you going to carry your certificate around or store your info card? A smart card? Your smart phone? A USB key fob? Those are costly input devices too and you have no guarantee the right person is the one using it.
There can be issues with the matching (not authenticating when you should have) but as I have blogged about before you can manage through those issues. Besides how many times do you mistype your strong password and have to enter it again? Probably way more times than when you should authenticate but didn’t using your biometric.
Posts
1 comments:
Nice post. I love the simplicity - "A biometric, any type, is just a mathematical representation of a physical characteristic".
I also wonder how we could better apply risk analysis such as hardware characteristics, IP address, etc. in conjunction with knowledge info or bio info to improve the solution set.
Post a Comment