Bill Gates is right about one thing: asking people to use a two-factor form of authentication would go a long way toward alleviating a lot of the password problems that plague computer security today.
Schedel's most famous work was published in 1493: Liber Chronicarum, or as it is more famously known, the Nuremberg Chronicle, an illustrated history and geography of the world from Creation to Schedel's present day. The Chronicle was an amazing achievement. Not only was it one
of the first map collections created using the then still-new invention of the printing press, but it also contained many maps of countries, and even cities, that hitherto had never been drawn.
Schedel was a devout Christian of his time, and he believed that history could be divided into seven Ages:
- Creation to Noah
- Noah to Abraham
- Abraham to David
- David to the Babylonian Captivity
- Babylonian Captivity to the birth of Jesus
- Birth of Jesus to the Last Days
- The Age of the Antichrist
Actually, something kind of important happened after the Chronicle was published, and, unfortunately for Schedel, a couple of blank pages weren't enough: Columbus' discovery of the New World was announced shortly after the publication of Schedel's work. Oops.
To my knowledge, Schedel, who died in 1514, never admitted his mistake.
I wish to admit an error that I've made, too: I am hereby admitting that Bill Gates is right.
Just a few days ago, the Microsoft maestro had this to say about the passwords that we have to deal with all of the time:
"A major problem for identity systems is the weakness of passwords. Unfortunately, with the type of critical information (protected by) these systems, we aren't going to be able to rely on passwords. Moving to biometric and smart cards is a wave that is coming, and we see our leading customers doing this."Now, I often don't agree with Gates - in fact, I quite rarely agree with him, or with Microsoft - but I must grudgingly give him credit for the above statement. He's right.
Anyone reading this knows that passwords are a real hassle, for a wide variety of reasons.
- Sheer numbers of passwords
- We all have to remember far too many passwords. Web sites, email, web sites, computer log ons, web sites, root or Administrator access, web sites, and did I mention web sites? We either try to remember all these different passwords, which is impossible, or we write them down, or store them in a Palm or a password safe-deposit box-type program, or we just re-use the same passwords over and over, thus opening ourselves up to catastrophic loss if one password is compromised.
- Anyone who's ever pulled time doing sysadmin tasks knows that to be true. Users try to slide by with passwords that a ten-year-old could crack, or they write them on sticky notes, or (it's my favorite and I know it's yours) they forget them constantly so you have to re-enter them. Every week. And I'm not even going to talk about the users who are willing to give up their passwords for chocolate bars.
- Passwords don't uniquely identify me. Anyone who knows my username and password can access resources intended for me, even if they're not really me. A password, after all, is just a string of characters. How does that uniquely identify the real me?
- My online banking records are protected by that same string of characters, and that's it. If you can finagle from me, or guess, or steal, those characters, then you're in like Flynn, baby. My finances are yours. Or my personal data on my computers. Or my email. And on and on. That's not much real protection, is it?
Users suck at password management
Asking people to use a two-factor form of authentication would go a long way toward alleviating a lot of the problems I outlined above. Instead of asking folks to remember strings of characters, a card and a thumbprint would vastly simplify things while providing much more certainty that the person is who she says she is.
I have my concerns, of course. When it comes to biometrics, I'm concerned. It's far too easy to fool biometric systems, although things will undoubtedly continue to improve. A better question concerns what is done with the biometric data, and what kinds of biometric data are used. Thumbprint? I'm a little queasy at it, but not much, especially since most biometric systems don't actually store the print itself, just a mathematical "hash", if you will, of the print. But DNA? Uh-uh. No way. I agree with those opposed to the idea of governments being able to access the DNA of anyone they arrest for a felony; I have even less fervor for the idea of corporations, under far less oversight than governments, having access to the building blocks of our bodies.
The idea of smart-cards intrigues me, however. Believe it or not, even AOL, with it's famously technologically-sophisticated user base (yes, I'm being sarcastic), has gotten into the act. For only $2 per month, AOL customers can use an RSA Secure-ID card to authenticate themselves to access potentially-sensitive areas of the AOL environment. Jokes aside, this is a good thing. The price is reasonable, although if every service charged $2 for the ability to use a Secure-ID token, the average consumer would be overwhelmed with payments.
The biggest problem, as always, comes down to an open standard. A universal scheme to ensure better authentication through the use of smart cards, or even smart cards plus biometrics, will only succeed if Microsoft doesn't own the standard, or the patent, or anything else that it intends to use to control this new direction in security. And for "Microsoft", you can substitute the company or organization of your choice. If we want a better scheme to work, then it must be an open standard - and open in the sense that open source developers can use it, without fear of licensing or patent issues. Without an open standard, we're looking at discreet archipelagos of authentication, instead of a universal, and universally useful, method of improving the ways we verify who are. I can't say I'm hopeful. Patent greed seems to be clouding the judgement of every company involved in IT these days.
We're not in the Last Days - it's been over 500 years since Schedel left those pages blank at the end of the Liber Chronicarum - but we're hopefully seeing the last days of passwords and all the annoyances they bring. As for me, I say the sooner the better. How about you? Would you be willing to carry around a smart card if it meant one less password? Or would you willingly use biometrics to verify yourself, if that meant fewer passwords? Add a comment and tell us your thoughts.