About a week ago at Google I\/O, Google said it would begin testing in June an alternative to passwords. People have been talking about eliminating passwords for years. They\u2019re hard to remember, particularly when one has dozens of them. Some people have hundreds.\n\n\nAnd people tend to mismanage them \u2014 the classic sticky note on the side of the monitor is only the best example. So, Google is proposing to use a mix of biometric and other data from users\u2019 Android phones. This data is expected to include facial geometry (picked up by the camera), voice pattern (picked up by the microphone), walking style (picked up by the accelerometer), and swiping and typing patterns (picked up by the touch screen).\n\n\nThe intelligent part of the system is expected to create a summed likelihood score based on all the sub-scores, and if it passes some threshold \u2014 say, 85% \u2014 the gatekeeper gives the okay to the website. Google is calling this set of software Trust API. Various sites have to opt in to receiving these scores. Maybe Facebook only cares that there\u2019s a 75% chance that you are you, but Bank of America wants to see 90%. The institution can send challenge questions if the score is too low.\n\n\nThe benefits of such a system are obvious. The user doesn\u2019t have to remember anything. A hacker trying to spoof an identity would have a hard time matching all those sub-scores.\n\n\nBut anyone believing that this scheme is better than bad ol\u2019 passwords needs to think again.\n\n\nUp on Hacker News, readers greeted the proposal with derision.\n\n\nOne poster pointed out the privacy concern: in order to use a Web service of any sort, one is required to reveal his or her full identity. The whole point of a user name and password is that one can create a limited identity used for that purpose alone.\n\n\nAnother noted the beneficial transience of passwords: if someone hacks a password, it can be reset. \u00a0If someone hacks an iris scan, you can\u2019t install a new iris.\n\n\nThen there is the security concern: fingerprints can be cloned, retinal scans can be faked, photos can be copied. It might be possible to fool the gatekeeper. As one renewed adherent of passwords said, \u201cThose things might be hard, but not as hard as getting something out of my brain (disregarding 'rubber hose cryptanalysis,' of course)."\n\n\nOne systems administrator pointed out that biometrics can\u2019t be changed, and, for corporate IT managers, revocation of credentials is a requirement of any authentication system. \u00a0 When an employee has been hacked, a new set of credentials needs to be issued to that employee.\n\n\nThen, there is the performance issue: all this computation needs to be done somewhere. If it\u2019s done on the phone, then performance and battery life are adversely affected. If it\u2019s done in the cloud, possibly unacceptable delays may occur from round trips to the service. Given Google\u2019s philosophy, it\u2019s likely that such calculations will be in the cloud. That way, all roads lead to Google, and Google gets at least a sniff of all information passing through the Trust API.\n\n\nFinally, a software developer noted that the whole notion of Trust API follows a disturbingly familiar pattern. A major player \u2014 in this case, Google, but it could just as easily be Apple, Facebook, or Microsoft \u2014 decides to create a huge artificial intelligence (AI) problem out of identity verification in order to "protect users from harm," thus anointing itself the gatekeeper and effectively walling off competition.\u00a0\u00a0\n\n\nAs another Hacker News poster put it, \u201cI'm all for getting rid of passwords, but the idea of Google (and other service providers) keeping that much information on me would definitely push me to getting rid of [my] smartphone.\u201d\n\n\nIf identity validation involves complex AI computation in the cloud, then no one except the behemoths will be able to do it anymore, which, quite possibly, is the idea.