Can Your Body Replace Your Passwords?
When will we all get tired of memorizing and typing in long passwords to access our phones, our computers, our email messages, and our bank accounts? It seems that many consumers are already there — and researchers are on their way to figuring out the next authentication systems that could eventually replace the password.
Methods of biometric authentication identify and verify a user based on the physiological or even behavioral characteristics that they display. Think of Apple’s Touch ID fingerprint recognition feature for the iPhone 5S, but going far beyond a simple fingerprint. Think technology that can scan and recognize the pattern of veins in your finger, verify your identity based on a photo of your face, or listen to your voice to find out who you are.
While the possibility that biometric authentication systems could come to consumer devices is exciting, the technology also holds huge potential for enterprise, and for people who use a variety of devices at work. In February, Gartner projected that 30 percent of organizations will use biometric authentication for mobile devices by 2016, up from 5 percent at the time. The growing prevalence of mobile devices in the workplace will necessitate a middle ground between robust security and usability. The report notes: “User expectations of a clean and simple mobile user experience often outweigh security concerns, and the same valuable data guarded by complex passwords and security measures on PCs can be left vulnerable on mobile devices…While most organizations require robust passwords on laptops, smartphones and tablet devices often have access to the same applications and critical data but not the same levels of security.”
While complex passwords can be problematic to enter on mobile devices, Gartner notes that even a four-digit password — the default to unlock an iOS device — is “inappropriate” to protect systems like corporate email. But biometric authentication methods offer a compromise, and can be used in conjunction with traditional passwords to provide a better assurance of security, and a better user experience: “Suitable authentication modes include interface interactivity, voice recognition, face topography and iris structure. These modes can be used in conjunction with passwords to provide higher-assurance authentication without requiring any significant change in user behavior.”
Read on to find out more about a few methods of biometric authentication, and consider what could replace your passwords when technology and security advance far enough to make the process of logging in and verifying your identity easier and faster.
Finger vein authentication
Hitachi’s VeinID finger vein authentication technology (PDF) captures images of the vein patterns in the user’s finger. The patterns are unique, and nearly impossible to replicate. The technology works by passing infrared light through the finger. The light is partially absorbed by the hemoglobin in the veins, which enables an image to be recorded. The system then takes about a half-second to match the user’s vein patterns to the patterns that are stored on a smart card.
The company says that the process is “remarkably accurate,” with only a 0.0001 percent chance of someone passing off their vein pattern as someone else’s. For additional security, users can also record the vein pattern in more than one finger. The system could be used on door access control units, ATMs, car doors, or PCs. In the future, it could be used on mobile phones and MP3 players, or “adapted” for driver’s licenses, ID cards, and passports.
Sophos’s Naked Security blog recently reported that Barclays has joined Japanese and Polish ATMs in adopting the VeinID system, and customers will be able to withdraw money without the need for a card or a PIN code when the technology is rolled out in 2015. Hitachi notes that biometric authentication systems still have challenges to overcome, and each has advantages and disadvantages, even the way it’s perceived by the user:
“The key with ‘biometrics’ is pin-pointing personal characteristics that are easily measured and compared, and processing the information in ways that are accurate, convenient and don’t cause undue embarrassment. Finger printing, iris scans, hand geometry and voice recognition systems are already in use, and each has its own particular set of advantages and disadvantages. Some are easier to forge, others are more expensive or cumbersome. Some are affected by the surrounding environment, others make users feel uncomfortable. “
Another method of biometric authentication that sounds like something out of a science-fiction movie — or at least a detective show — is facial recognition. A page on the FBI’s website explains that facial recognition can be used both for verification and for identification, and the earliest systems, developed in the 1960s, required an administrator to locate features (eyes, ears, nose, and mouth) on photographs. From there, the system calculated distances and ratios, and compared that information to reference data.
The technology has evolved since then, and the FBI notes that today there are two predominant approaches to facial recognition: geometric, or feature-based, and photometric, or view-based. Within each method, complex algorithms are used to represent and match an individual’s face. The FBI is implementing its own facial recognition system, called Next Generation Identification, this summer, with a federal database of 50 million photos slated to made available to all fifty states by the end of the year.
Naked Security notes that some PC login systems, mobile apps, or even ATMs and payment systems can use facial recognition to authenticate users. Even Facebook uses facial recognition technology that some have noted is almost as accurate as the human brain. The Verge reported that Facebook’s DeepFace system can tell with 97 percent accuracy whether two pictures are of the same person. That’s more accurate than the FBI’s Next Generation Identification system, which, given a face, returns a ranked list of fifty possibilities and gives only an 85 percent chance of returning the suspect’s name on the list.
As the Washington Post recently reported, GM may soon offers cars equipped with facial recognition software from an Australian company called Seeing Machines. The technology is reportedly designed to detect distracted driving, and will use a system of cameras and software to note the rotation of the driver’s head and how often he blinks. Those measurements will help the system figure out if the driver is keeping his eyes on the road, or if he’s looking at his phone or even falling asleep, and the driver could be alerted or even forced to pull over. The system could also disable the vehicle if whoever is in the driver’s seat is not an authorized user, or could enable the driver to activate apps and navigation with a glance.
However, when it comes to authentication, facial recognition technology is less than perfect, and some systems can be fooled by photographs or by people who look similar, or can fail to authenticate the actual user due to a variety of factors that can change the way we look. So, like many methods of biometric authentication, some improvements need to be made before your passwords can be totally replaced.
Another potential authentication method to replace the password is the gesture. Many Android phones have made it possible for users to swipe a pattern to unlock their phones, and Windows 8 incorporates a system that asks users to complete swipes around a picture. However, these types of gesture authentication come with many of the same issues as passwords. People are just as unlikely to choose hard-to-guess shapes as they are to pick hard-to-guess passwords.
Voice recognition technology could authenticate users based on features that are influenced by a person’s physical features, such as the airway and soft tissue cavities, and by his or her behavioral characteristics. As the FBI’s website notes, voice recognition is useful for remote authentication given that it can be completed with the use of a phone, or with the microphone on a computer. Speech samples are captured over a period of a few seconds, and analyzed with a model that monitors changes over time.
Technology to scan and analyze the random patterns of the iris is a relatively new method of biometric authentication. The iris is a muscle within the eye, and regulates the size of the pupil to control how much light enters the eye. As explained on the FBI’s website, the iris’s color is based on the amount of melatonin pigment within the muscle, and while the iris’s color and structure are genetically linked, the details of its patterns aren’t. During prenatal growth, the iris develops through a process of forming and folding of the tissue membrane. Degeneration causes the pupil to open and the iris to form random, unique patterns. An individual’s irises are genetically identical but structurally unique, and can be used to recognize and authenticate a person.
The FBI’s website notes that while iris recognition uses the iris muscle to authenticate a user, a related method, called retinal recognition, uses the unique pattern of blood vessels on the retina at the back of the eye as means of identification and verification. Both methods involve capturing a high-quality image of the iris or retina, using near-infrared light to illuminate the eye.
But iris scanners have been less than seamless to implement in the past, with some prone to misidentification of users and others making it difficult for users to properly align their eyes with the device.
The future of passwords
There is a huge variety of biometric authentication methods currently being researched and tried, including DNA matching, identification using the shape of the ear, finger geometry recognition, hand geometry recognition, gait recognition, body odor recognition, and even typing pattern recognition. But many of these technologies have some distance to cover before they can be considered as a viable replacement for the traditional password.
Password systems have seen a wide variety of improvements over the years, from the implementation of now-ubiquitous “Forgot Your Password” recovery systems to two-factor authentication features that send a unique code to your smartphone for you to enter along with the password you’ve already entered on a computer. For all of those precautions, each new system comes with its own vulnerabilities, and new ways for insecure designs or plain human error to leave users’ information unsecured. And while they aren’t the most secure option, passwords right now are the simplest method of authentication available.
As technology advances and more sophisticated systems are developed for vein identification technology, facial recognition systems, and iris scans, there is considerable room for improvement. Most recognition devices for any of these methods of biometric authentication will need to get a lot smaller and a lot cheaper to become ubiquitous, and especially to integrate with consumer devices.
And perhaps most importantly, security will take on a new level of importance when it’s your blood vessel patterns and not your password that’s stored on someone’s server. A major problem with biometric authentication — and many companies’ failures to properly encrypt and authenticate the messages, content, and information that you share via their platforms — is that if a user’s credentials are compromised, they can’t be easily changed like a password. So for your eyeballs or your voice to take the place of your passwords, researchers and developers need to figure out privacy and security first.