This kind of story drives me nuts!
When are we going to realize that any authentication scheme (or for that matter, the way we obtain credit) based on "what you know" vs. "what you have," (better) or "who you are" (best), will increasingly be subject to fraud and imposter access?
Meanwhile, every major manufacturer of laptops already adds a fingerprint scanner to some or all of their product lines at a cost of just $3 per laptop. HP plans to ship 8 million consumer laptops next year with a fingerprint scanner, for example, and will join IBM and Lenovo in featuring it in all their business laptops.
These soon-to-be ubiquitous scanners, combined with BIO-key's WEB-key strong authentication platform, will let anyone securely authenticate or identify themselves over the internet to any site using a simple swipe of their finger over that scanner. It's actually easier than using the username and password approach. If someone has a mix of different scanners on their laptops, or they replace a laptop, the BIO-key software works on them all interchangeably - you're never stuck.
Before someone chimes in with the oft-raised concern that "if someone steals my fingerprint, they can use it to gain access to these systems or steal my identity," I'll point out that a biometric authentication scheme is based on the fundamental assumption that the thing being measured (you) is public - the biometric principle just doesn't work if you've got to keep the person or the artifacts of their biometric measurements (e.g. fingerprints, face images, eye images) private. Looking deeper, the flawed thinking behind this fear is that the fingerprint is not the credential - the finger is. Having a fingerprint is useless data if the system is geared to only accept live fingers attached to live people. WEB-key and any banking-tested systems like it are architected to ensure that a real finger is on a real scanner right now; they make it impossible for someone possessing even a perfect fingerprint image from injecting it into the authentication pipeline at any point.
McKesson, Allscripts, Union Pacific, Beth Israel Deaconess, and AT&T use WEB-key for their biometric platform for its security in particular because it assumes that the browser has been hacked, the USB connection has been compromised, the internet connection is being intercepted and sniffed - even the app server is compromised - yet there is still no way for the malicious entity controling those components to mimic a real person.
Right now, the banks and other online providers are weighing how to use biometrics to let you protect access to all your accounts, using low-cost scanners that are available in any new laptop. It's up to the public to insist that they are tired of the burden of online account protection being placed on them, through convoluted mechanisms to prove who they are.
Likewise, we have to call to account the credit bureaus' CreditWatch programs. They are making so much money selling you a glorified burglar alarm monitoring service to watch your credit account for activity (akin to saying "Your horses have left the barn - go after them!") vs. making it impossible for someone besides you to avail themselves of your reputation and credit record. Allowing anyone to voluntarily bind two web-verifiable fingerprints to their credit record would do that, with a minimum of overhead for any credit grantor - they would only need a web connection and a fingerprint scanner - including the ones in their laptops.
Unisys surveyed 12,000 consumers in October 2008, and reported that 72% prefer using fingerprint ID to prove identity to banks and government agencies - second in acceptance to passwords and PINs, at 73%. That acceptance rockets to 80% for people who make over $50K per year.
Makes too much sense to ever be adopted, I guess.
The best of ZDNet, delivered
ZDNet Newsletters
Get the best of ZDNet delivered straight to your inbox
