By Laura Shin
Posting in Government
In 2012, the password could go the way of the dodo. Soon, devices will instead know you by your retina, your typing gestures, your voice and other biometric information.
As far back as 2004, Bill Gates was predicting the demise of the password.
In 2012, his prognostication might actually come true.
Researchers are working on ways to either eliminate the headache of having to remember a gazillion passwords, or to at least make passwords more secure.
The fundamental flaw of passwords is that no matter how long or complicated you make them, they will always open your device to whoever figures out the exact code. But future methods of authentication will not open the door to anyone with the key. They will -- hopefully, at least -- open the door only to you.
Several of the avenues being explored trade on recognizing "biometric" features, such as hand gestures, typing quirks, voices and more. IBM's 2012 forecast predicts that passwords will become obsolete: “Biometric data -- facial definitions, retinal scans and voice files -- will be composited through software to build your DNA unique online password,” the company's SmarterPlanet blog (no relation!) said.
However, these possible advances also come with risks: As the New York Times reports, "The most serious problem with biometrics, said Tal Be’ery, a senior Web researcher at Imperva, is that 'once your digital biometric signature is compromised, you cannot even replace it.'"
Steps toward change
Here are some of the ways that passwords are already evolving:
- Banks are already using voice recognition software to supplement your PIN.
- Google is promoting a two-step log-in process that uses both a password and a code sent to your phone.
- Smartphones may soon be able to recognize their owners with a retina scan. Dozens of police departments across the country already employ a smartphone-based retina scanning technology that can run suspects against a criminal database. It hasn't yet become available commercially due to privacy concerns and its $3,000 price.
- Several U.S. banks ask their customers to identify themselves not only with a PIN but also by reciting a two-second phrase to a computer over the phone. Even with a phrase as simple as “at my bank,” a million customers' versions will still be unique.
- Phones running the latest Android software will unlock when they recognize the owner's face -- and unfortunately, when someone else shows the phone a photo of the owner's face.
The last example demonstrates some of the pitfalls of biometric information. For instance a system based on voice recognition could be easily duped with a recording of the owner's voice.
Recognizing you the way your dog recognizes you
Because of these risks, the government's Defense Advanced Research Projects Agency (Darpa) is looking into other forms of authentication based on behaviors including the way people type or make other hand gestures.
Darpa has invited security researchers to investigate the way people use machines so their identity can be verified every instant: “for example, how the user handles the mouse and how the user crafts written language in an e-mail or document,” it explains on its Web site.
The military has a keen interest in making sure devices remain secure: It could help protect sensitive information if, for instance, a soldier’s laptop falls into enemy hands.
Darpa program manager Richard Guidorizzi, in a press release, explains how this method differs from the current password format:
“My house key will get you into my house, but the dog in my living room knows you’re not me. No amount of holding up my key and saying you’re me is going to convince my dog you’re who you say you are. My dog knows you don’t look like me, smell like me or act like me. What we want out of this program is to find those things that are unique to you, and not some single aspect of computer security that an adversary can use to compromise your system.”
However, others, such as Nasir Memon, a professor at the Polytechnic Institute of New York University, say that people find biometric authentication systems such as retina scans "creepy."
Memon is looking for friendlier ways of authenticating identity, such as signing one's name on a small screen. He is also developing a technique that enables people to open an iPad by making an unlocking motion -- specifically, "turning" an image of a large combination lock using all five fingers. (See the New York Times video of him demonstrating it here.)
Do you think these evolutions to the password will make authentication easier, less annoying and more secure than the current system? Or do you think they will be just as risky and irritating?
photo: IBM Research - Zurich
Dec 25, 2011
Here's some ideas someone more ambitious than me may be able to get rich with. In order for this to really happen, it's going to have to be universally known, accepted, standardized, trusted, and affordable. That's impossible, at least in a single device. On top of that, no one will ever agree on what's best. Real ID? Voice? Retina, etc... Not all services people need to authenticate with require DOD level concern either, not should they. So- here's the idea: standardize one side of a device, say with USB- and vary the other side. Let them get built into keyboards, cell phones, etc where they can be. Multi-factor authentication is frequently additive if not multiplicative in enhancing security. Different factors could have a "score" built into the standard, which would indicate the resistance to compromise. Services wouldn't have to have any allegiance to a particular factor or factors- they could set a minimum total score needed. Once authenticated, the client could optionally increase the minimum if they choose. How to have a standard though- in a world where premier security firms still get compromised themselves? Private interests I'm afraid tend to corrupt truth in scoring due to their inevitable bias. Scoring must be done (and continually re-evaluated) independently- if not with government funding behind it, with great scrutiny at least. Given the cost of compromises on both ends, perhaps tax incentives should be granted for services meeting greater security metrics. It might be the only way to lure the Facebooks and Googles to lead the practice and implementation of the standard. Once a few big players are lured, so too are the bulk of customers they carry with them. More innovative factors are also needed. Card swipes, retinal scans, finger/voice prints- all good. But they need to be built right into our interfaces eventually... keyboards, mice, monitors, etc. I'd love it if I received 12 tiny RFID tags per year, each only functional for a given month, which I could then transparently paint on to my fingernail. It's got the benefits of an injectable without the creepiness. I get to work, stick my finger in the hole in my keyboard and say hello and I can log in. I use my finger, voice, and real ID card and I can buy a stereo online or access my banking records. My officemate nearby accomplishes the same tasks with all different factors that sum the same. You get the idea. Customers like me at least, wouldn't even need the increased security incentive- if it was more convenient at the same time. Marry the two though, and you've got a sure winner.