When your body is your password - TechCentral

When your body is your password

biometric-640

Passwords are a pain. I seem to have 100 or more different identities on different websites to manage. Whenever I book a flight or buy a concert ticket, it often means setting up yet another persona and coming up with a password to authenticate it.

It’s got so bad I’ve resorted to a password manager program to suggest secure, truly random passwords and then keep track of them for me. Of course, if I forget the password to that program, or worse still if someone else guesses that password, I’ll be in all sorts of trouble.

This is a recognised problem, so it’s no surprise firms are looking at ways to make this easier. In the US, Yahoo has announced it plans to move to a password-on-demand system, where a new, one-time password is generated and texted to your mobile phone, and you can text the password to Yahoo’s servers whenever its services require authentication.

This makes it things easier for the user, whose phone is now a key as well as everything else. But some security experts have been less than impressed. For example, many phones show the text of incoming messages automatically, popping up even when the phone is locked. All that would be required is five minutes alone with your phone and your Yahoo account could be hijacked. And who hasn’t left their phone unattended for even just a short while?

All this hassle with usernames and passwords has led many to think biometrics are the answer, in which uniquely identifying elements of our physical body are used as authentication keys.

fingerprint-280The most common, fingerprints, have been used as a means to authenticate users for some time. Fingerprint-based controlled access can be made to work reasonably well, although it is not immune to successful attack. When you find that Sherlock Holmes was cracking cases in 1903 which involved forged fingerprints, you might be forgiven for wondering if we really can provide security on the basis of our fingertips and thumbs. However, modern biometric security goes further to try to provide greater security.

Microsoft is building biometric password support into the forthcoming Windows 10, due to arrive later this year. The Windows Hello component, essentially a login screen, will be able to use a webcam to examine the user’s face, iris, or a fingerprint scanner to unlock devices and provide Windows logon. Microsoft is also touting a mechanism built into its Passport service that will provide authentication on your behalf to other sites once you have successfully logged on to your computer and it has recognised you.

Halifax, the bank, has gone one step further for its online banking services. It is currently testing a smart wristband called Nymi which reads the wearer’s heartbeat — another biometric measure that provides a rhythmic pattern that can be used as a unique identifier. Heartbeat biometrics are touted as harder to fake or fool than other biometrics, although when I consider what happens to my heartbeat when I check my bank balance I’d imagine it will need considerable testing!

All this is a step toward the Holy Grail of authentication: security with convenience. Microsoft’s moves in this direction are as part of the Fido Alliance which aims to improve the way we approach security for devices and online services in the future, improving security and reducing the burden on users, which has a tendency to lead towards corner-cutting, weak or re-used passwords, and security compromises.

The good news for us password jugglers is that there is now a greater imperative behind building higher levels of security into systems from the outset, rather than trying to add it on afterwards, and that new and better ways of doing this are being explored. Modern devices, the latest Dell tablet for example, have 3D cameras which can generate images that contain depth information as well as a visible picture. The wider introduction of these sorts of components and their successors will offer a way to provide a whole new way of authentication, to the point that in the not too distant future our smile really will be our passport.The Conversation

  • Rob Miles is lecturer in computer science at the University of Hull
  • This article was originally published on The Conversation

5 Comments

  1. Yes. Mentioned in the second paragraph. Did you actually bother to read the article?

  2. Windows Hello apparently will need Intel’s new hardware; RealSense camera devices as webcams which have depth sensing built in, in order to use the facial biometrics; existing devices with biometrics will work without issues. In reply to @alanben:disqus, password managers are convenient, but nothing beats a quick finger swipe to login, right? (which I do currently, my laptop has a biometrics sensor built-in). Sure, if it doesn’t work first time you’re probably better off typing in a password but 90% of the time you’re in within 10s and a simple gesture. (Or, if Microsoft has you believe it, by staring at your screen).

  3. Greg Mahlknecht on

    The big problem with biometrics, and why it’s a terrible idea to use alone for authentication, is that it’s a password that can never be changed. There’s a fundamental misunderstanding of the role of biometrics in security applications – it replaces your user name, not your password. Yes, it’s an obfuscated user name, but when it becomes a popular enough form of authentication it’ll be cracked. Look at the level of sophitication the ATM card skimmers use – the difference is it’s a trivial matter to cancel and replace a compromised credit card. You can’t replace your biometric indetifiers.