The Boston Globe

Assigning Passwords to Computer History

February 26, 2004
By Hiawatha Bray

Even Bill Gates hates them, and he can afford to pay someone to type his passwords for him. "There's no doubt that over time people are going to rely less and less on passwords," the chairman of the software company Microsoft Corp. said in a speech Tuesday. "It just doesn't meet the test for anything you really want to secure." But where's the alternative? Microsoft is opting for an expensive, muscular approach designed with the help of a leading computer security firm located in Massachusetts. As for the rest of us, there's a new wave of products that replace passwords with fingerprints. Sony's Puppy and the Personal Biometric Pod from American Power Conversion Corp. of West Kingston, R.I., will let users access home networks and Internet sites with the touch of a finger.

The Microsoft solution was co-produced by RSA Security Inc. of Bedford. Millions of people use RSA software without knowing it; the company makes the security software used in Web browsers to encrypt credit card data sent to e-commerce sites. RSA also makes a technology called SecurID. In this system, each user of a computer network is given a key chain-size device with a liquid crystal display screen. Every 60 seconds, a random number appears on the screen. An RSA computer connected to the corporate network generates the same number at the same time.

To log into the network, a user types in the number from his SecurID card, along with a memorized PIN number like those used with ATM machines. Even if the card falls into the wrong hands, it's useless without the correct PIN. "With our solution, you still need a PIN," said Karl Wirth, a product manager at RSA. But "you can have a much simpler password because you're supplementing it."

RSA this week announced that it will offer a version of SecurID that interfaces with Microsoft's Windows software. This will make it easy to add the SecurID technology to corporate networks full of Windows machines.

Unfortunately, RSA technologies are out of the reach of small businesses and home computer users. Besides, even a short, easily remembered password is still a password. Will we never be rid of them?

The only real hope for a password-free life lies in biometric technology - devices that identify people based on unique physical features, such as fingerprints or retinal patterns.

"Deployed properly they can be a very effective tool for protecting personal information," said Trevor Prout, director of marketing at the International Biometric Group, a New York consulting firm. "It's certainly a more secure solution than using PINs and passwords, which are easily shared, stolen."

Many companies produce biometric technologies, but they've been slow to catch on. Businesses and government agencies use them in high-security areas, but the relatively high cost of the systems has kept them out of common use. Passwords are cheap; biometrics requires scanning equipment, such as fingerprint or eye scanners, connected to computers that process the data, plus another computer to store the biometric database needed for comparison purposes.

Gerry Gebel, analyst for the Burton Group of Midvale, Utah, noted another significant expense - privacy. "People are concerned about how this information is stored and used," Gebel said. Workers must be reassured that their fingerprint files will be safe from data thieves, and that the information won't be misused by the company.

Despite all these concerns, biometrics is gaining traction. According to the International Biometric Group, it's a billion-dollar industry today and will reach $4.6 billion by 2008.

There may even be a consumer market for simple biometric devices. Sony seems to think so; for years the company has marketed a line of home fingerprint scanners. Its latest, the $170 Puppy 810 device is due for release this spring.

But a New England company could set the pace in the home biometrics market. American Power Conversion Corp. of West Kingston, R.I., next month will introduce a $50 personal fingerprint scanner for home use. The Personal Biometric Pod is designed to store a user's many passwords, all accessible once the fingerprint is recognized.

Product line manager Greg Fournier agreed that there have been many other fingerprint scanners aimed at the consumer market, but the others generally sell for $100 or more. "Consumers don't much like paying more than $39 for anything," Fournier said.

Users also may be put off by scare stories about stolen passwords, so APC isn't stressing the security benefits. "We've decided to market it as a convenience product," Fournier said, "something that makes my life easier."

Easier, yes. But not password-free. Users will still need passwords for their favorite Internet sites. They'll just use one finger to enter them, instead of all 10. Technology can ease the burden of passwords, but they're not all going away any time soon.