This morning, I couldn’t find my badge for work. This was extremely annoying, as it would have meant that I not only lost my badge (easy to replace), but my DoD Common Access Card (CAC). My CAC contains (on a smart card) the keys I need to decrypt encrypted mail sent to me; it is unlocked by a PIN that presumably only I know. If you think about this a bit, this is a way of strengthening security by adding “something you have” (the card) to “something you know” (the password).
The problem with “something you have” is that sometimes you don’t have it. Things get lost or misplaced. So how do we get the “something you have” without the use of cards to store keys. The answer in some sense is easy: biometrics. Equip all computers with a reader that reads biometric information (say, a thumbprint); this ties to a database that provides the requisite information. Combine the biometrics with the password, and you’ve got something pretty strong.
So, while sitting on the van this morning, I continued to think along this vein. What if the biometric became your universal ID. Need to charge something? Give a thumbprint, the terminal asks you back “which account?”, and you indicate the account and the passphase for that account. Need to login? Thumbprint and passphrase. Need your medical records? Thumbprint and passphrase. Identify theft should be reduced, unless you lose your thumbs. They won’t have the biometrics. Your phones could even be equipped with a device to send it. Worried about replay? I think we have the technology to address that as well, in particular, if you could change your account passphrases monthly.
Aye, so where’s the rub. Aisle 4, near meat tenderizers. No, the other rub.
This would become a universal ID. Although (as I pointed out above) this has a number of advantages, it could also be used by “the government” in bad ways. Spending profiles could be tracked: the government or corporations would know what you bought, when, and the frequency. Movements could be tracked. If everyone’s prints were one file, law enforcement could find bad folks easy, but they might also turn the innocuous into the bad.
So, I’d like your opinion. Are we moving in the direction of a universal ID? If so, what can we do to ensure that good use happens, and the bad use is prevented? What legislation might we need to have in place?
Well, my tea is now cool enough to drink, I’ve found my badge (it was in my briefcase), and so it is back to productive endeavors.