Forget passwords - the future of digital security lies in biometrics
The advent of so-called biometric authentication threatens to kill off passwords for good. But which technology will be adopted is still anyone's guess
They're calling it Identity 3.0. For decades the alphanumeric password has been the bane of internet users digital lives, but the days of having to memorise letters and numbers on a keyboard could soon be over.
Luxe smartphones already have built-in thumbprint scanners, while Apple Watch and many other wearables can detect a wearer's heartbeat. Cameras and sensors can recognise a person by their face, ears, voice or even the pattern of the veins in their hands. The age of so-called biometric authentication is almost upon us, and it threatens to kill off the alphanumeric password for good.
Some of the concepts are wacky. PayPal recently floated the idea of "edible verification", encrypted ingestible devices that could store personal data, as well as silicon chips that could be embedded into a person's skin to identify the unique characteristics of their body to a computer. Neither idea is beyond the concept stage.
However, the tech that will power Identity 3.0 is real and it's ready. Which approach can most easily replace alphanumerics is anyone's guess, although in Hong Kong there is momentum behind face recognition technology. The Legislative Council's security panel revealed in January that it would spend HK$2.9 billion on smart biometric ID cards capable of storing higher resolution images for face recognition. The chip in the current ID cards - some nine million of them - currently holds fingerprint images, though there have been concerns about their quality. The new cards will have more storage capacity and a microchip that can also hold images of the owner's face with plenty of room to add, in future, iris images and fingerprint data. The new cards will be phased in from 2018 to 2022.
Many see a future for face recognition tech in wider society. It's being pioneered in vehicles by Canberra, Australia-based Seeing Machines, which hit the headlines earlier this year with its Fovio "accident avoidance" tech employed on an F-Type Jaguar, which monitors drivers for fatigue and distraction. For now, it concentrates on industrial truck drivers, but mainstream vehicles are next. The same eye-tracking tech, combined with iris scanners, could also be used to start vehicles, open doors or unlock a website or app.
Although it's barely on the agenda in Europe or the US, basic biometrics is on the cusp of mass adoption in Asia. Fingerprint verification is commonly used for ATMs in Japan and banks in Vietnam are trialling the same technology so customers can make a transaction without using any kind of card, identification or smartphone.
"Biometrics is seen as new and exciting, and Asian consumers are always ahead of the trends when it comes to adopting the latest technologies," says Ron Kalifa, deputy chairman of payment processing company Worldpay. "There is also the security factor, with many consumers believing that biometrics offer a safer way to transact and access personal data."
Despite that popular perception, security is a huge challenge for biometrics; Hong Kong authorities fear that the fingerprint images embedded in its present generation of smart ID cards could soon be forged, while matching any fingerprint, face or voice with total accuracy is almost impossible. "Biotechnology does pose some interesting security problems," says Kalifa. "Biometrics is probabilistic rather than deterministic, which means there is always the possibility of a false identification, and this will be a real challenge for companies using biometrics over the next few years."
A good example occurred in 2014, when - for demonstration purposes - hacker Jan Krissler successfully recreated the fingerprints of the German defence minister Ursula von der Leyen using only high-resolution photos of her hands. "While the data in this case was used to simply highlight the potential problems, it goes to show just how inventive companies will have to be to stay one step ahead of the criminal fraternity," says Kalifa.
Biometric data is like having one password for multiple accounts, so getting it stolen or forged is a security nightmare. Does that mean traditional passwords - however irritating they are to remember - are more secure? "An eight-digit numeric password will require hours to recover, and that will discourage casual hackers with toolkits," says John Girard, vice-president at analyst firm Gartner, which has offices in Hong Kong.
"But even a six-character lower-case alphanumeric password can provide billions of values. For most practical purposes, hackers are not prepared to pursue this large a set of combinations due to the relatively slow speeds involved in brute force attacks against smartphones and tablets."
The advice, therefore, goes something like this: choose a password of six alphanumeric characters, and don't use dictionary words, and hackers won't get very far. For anyone dealing in sensitive business data, Gartner suggests that biometric authentication will be useful, though probably in addition to using alphanumeric passwords.
Not everyone agrees. "Passwords are an increasingly weak authentication process, easily infiltrated by bugs and viruses and vulnerable to confidence tricks and simple, easy-to-guess phrases," says Seb Reeve, director of product management at Nuance, which is pioneering voice biometrics.
"Voice biometrics cannot be replicated and the voiceprint itself is of no value in isolation for a fraudster," he says, adding that voice should be used as part of a "triple-factor" system for maximum security.
"For example, banks are able to combine something unique to the individual - their voiceprint - with something they know, such as a set phrase or question, and an identifier based on a device or IP address."
Like most innovations, biometric techniques for most of us are likely to concentrate first on smartphones and tablets. Complex technology is unlikely to catch on, but "passive" biometrics - such as a quick eye-scan or voiceprint as you pick up a smartphone - could well work. Iris scanners already exist in some smartphones, but they can't be totally relied upon.
"High-resolution cameras are now able to pick iris patterns out of normal photographs, thus potentially enabling an individual to pose as someone else," says Kalifa. "We believe the winners in this marketplace will be able to combine biometrics with other factors like devices or objects, and secrets such as pins, passwords and other 'known' factors - this will help mitigate any security risk."
Since all smartphones have GPS sensors, location is another way of checking someone is who they say they are. This is "contextual authentication"; if you're trying to log in to your bank account while in your own home, that's at least a good clue to the identification of the user.
It's one thing to ask someone to remember various logins and passwords, but recording their fingerprints, voice, face and even - one day - their DNA code, is completely different. Letting your bank, employer or any app know your geographic location - not to mention scans of your iris, fingerprints and your voiceprint - won't suit everyone.
Is there a moral issue with storing ultra-personal data like this?
"There is always an issue when companies hold any sort of personal data and they have a duty of care to ensure that data is not only not compromised, but also not passed to third parties," says Kalifa. "We know that people are still cynical towards biometrics so it's important companies do everything they can to reassure them that the data is safe and secure."
With the arrival of so much new authentication technology, something has to stick. As anyone now choosing the same password for all of their websites and apps knows, the system we use now is inconvenient and outdated. However, it seems we're likely to get biometrics only as a second or even third layer of security. The alphanumeric password isn't going anywhere in a hurry.