"Who are you?" is the most expensive question in information technology. No matter how you get it wrong, you're fucked.
Passwords suck. But virtually everything else sucks far worse.
Biometrics, as many have already noted, 1) aren't passwords, 2) are usernames, 3) aren't universally present, 4) aren't immutable, 5) retain the problem of having to be stored as data to be verified, 6) aren't replaceable, and 7) can still be stolen, copied, faked, or otherwise misrepresented. At the very least. (Is there a "Myths programmers believe about biometric identifiers" page yet, because there needs to be one?)
Attesting to identity is a long-lived problem, though one that's changed through the ages largely in the scale of how many people it applies to and in what priveleges are granted based on attested identity.
Absent some alternative of a convenient, replaceable, inexpensive, repudiable, and effective portable token of some sort, I don't think the identification problem is ultimately solveable.
Electronic data are fundamentally different from data-on-physical-media. Electronic information tend, as Quinn Norton noted, to deleted or public -- those are the only possible end-states.
(Arguably paper-based records do as well, though the ratio of deleted to public is far higher.)
Electronic information lacks mass, and the attributes of mass. It has no, or very, very little, inertia. It can be transmitted around the globe in a fraction of a second. Multi-gigabyte, approaching terabyte storage, is now possible on fingernail-sized devices.
Data transactions unlike financial ones aren't reversible. It's possible to reverse or undo a financial transaction. The seen cannot be unseen, the heard cannot be unheard. Backing out data disclosures is not possible.
The World Wide Web was created as an information distribution system, specifically for academics. It's been extended far past that, but the fit has quite often been very, very poor.
There's a strong benefit to in-person physical transactions. There's a very high locality cost: getting to, and being present in, a specific location will cost you. Current rates are approximately $0.50 per mile traversed, plus other considerations. Being present in multiple locations simultaneously (or even in brief time) is exceptionally difficult to arrange. Physical reality has high attack costs.
Data presents low attack costs, and increasingly, highly appealing targets.
Devices, systems, users, administrators, vendors, and more, all exhibit exceptionally poor practices.
As one comment on this thread states, "If this replaces passwords, I am quitting this industry to raise chickens in a cave." To which I respond: stay out of my cave.
Passwords suck. But virtually everything else sucks far worse.
Biometrics, as many have already noted, 1) aren't passwords, 2) are usernames, 3) aren't universally present, 4) aren't immutable, 5) retain the problem of having to be stored as data to be verified, 6) aren't replaceable, and 7) can still be stolen, copied, faked, or otherwise misrepresented. At the very least. (Is there a "Myths programmers believe about biometric identifiers" page yet, because there needs to be one?)
Attesting to identity is a long-lived problem, though one that's changed through the ages largely in the scale of how many people it applies to and in what priveleges are granted based on attested identity.
Absent some alternative of a convenient, replaceable, inexpensive, repudiable, and effective portable token of some sort, I don't think the identification problem is ultimately solveable.
Electronic data are fundamentally different from data-on-physical-media. Electronic information tend, as Quinn Norton noted, to deleted or public -- those are the only possible end-states.
(Arguably paper-based records do as well, though the ratio of deleted to public is far higher.)
Electronic information lacks mass, and the attributes of mass. It has no, or very, very little, inertia. It can be transmitted around the globe in a fraction of a second. Multi-gigabyte, approaching terabyte storage, is now possible on fingernail-sized devices.
Data transactions unlike financial ones aren't reversible. It's possible to reverse or undo a financial transaction. The seen cannot be unseen, the heard cannot be unheard. Backing out data disclosures is not possible.
The World Wide Web was created as an information distribution system, specifically for academics. It's been extended far past that, but the fit has quite often been very, very poor.
There's a strong benefit to in-person physical transactions. There's a very high locality cost: getting to, and being present in, a specific location will cost you. Current rates are approximately $0.50 per mile traversed, plus other considerations. Being present in multiple locations simultaneously (or even in brief time) is exceptionally difficult to arrange. Physical reality has high attack costs.
Data presents low attack costs, and increasingly, highly appealing targets.
Devices, systems, users, administrators, vendors, and more, all exhibit exceptionally poor practices.
As one comment on this thread states, "If this replaces passwords, I am quitting this industry to raise chickens in a cave." To which I respond: stay out of my cave.
Because I'm already there.