The beauty of biometrics is that you dont have to remember anything at all, much less a complex password. Instead, a biometric security system taps into the unique properties of your own physical packaging to authenticate your identity.
Biometric systems can scan fingerprints, irises, faces, and even voices to establish whether a person should have access to a service or piece of hardware. Theyre not yet deployed for the major cloud services, but Terry Hartman of Unisys says major banks are piloting biometric identification systems now, and expects them to begin rolling out next year. Apples recent $360 million acquisition of AuthenTec, maker of fingerprint-scanning technology, suggests that some form of biometric identification may be built into future Apple products.
Biometrics arent perfect, however. Researchers have gamed fingerprint scanners by using gelatin fingers, and they've fooled facial recognition systems by using photographs. At last July's BlackHat conference, security researchers demonstrated a way to trick iris scanners by reverse-engineering the image data.
And of course, hackers can target biometric data stored in a central database, and steal identities by substituting their own biometric data in place of their victims'. As with passwords and other personally identifiable information, the level of protection provided by biometric security would depend entirely on the competence of whoever stored the data (we all know how well that worked at LinkedIn).
Requiring biometrics at login could also make anonymity difficult (if not impossible) for political dissidents, whistleblowers, and people who inhabit multiple identities for personal or professional reasons. Fears over Minority Report-style government surveillance may also give many consumers pause.
Despite all this, Joseph Pritikin, director of product marketing at AOptix Technologies, a maker of iris scanners deployed at airports and border crossings, predicts that smartphones employing biometrics will be one of the key identification devices of the future, in part because the data can be stored securely on the device itself.
It will be a combination of something I am and something I have, most likely a smartphone, Pritikin says. Their hardware-based encryption would be difficult to compromise.
One ID to rule them all
Ultimately, the ideal solution for password fatigue is to unify all of our disparate logins and online identities. Enter the Obama Administration, which in April 2011 launched a public-private initiative, the National Strategy for Trusted Identities in Cyberspace, to develop an identity ecosystem that would allow consumers to use any verification system and have it work seamlessly across any site.
Such a system would be able to verify that youre old enough to buy wine online or that you qualify for a student discount, without necessarily sharing all of your personal information with each site, says Jim Fenton, chief security specialist for OneID, an Internet identity management system. The system would also allow you to operate under a pseudonym, if thats how you wanted to roll.
But the wheels of government churn slowly. Last month, the NTSICs steering committee held its first meeting. Among the issues it will eventually have to tackle are how much information should be shared between parties, and how much control consumers should have over that information, says Fenton, a member of the steering committees privacy group.
In other words: Help is on the way, but it wont get here soon. In the meantime, were stuck with passwords. Create some good ones, and make sure theyre under lock and key.