As far back as 2004, Bill Gates was predicting the demise of the password.
In 2012, his prognostication might actually come true.
Researchers are working on ways to either eliminate the headache of having to remember a gazillion passwords, or to at least make passwords more secure.
The fundamental flaw of passwords is that no matter how long or complicated you make them, they will always open your device to whoever figures out the exact code. But future methods of authentication will not open the door to anyone with the key. They will — hopefully, at least — open the door only to you.
Several of the avenues being explored trade on recognizing “biometric” features, such as hand gestures, typing quirks, voices and more. IBM’s 2012 forecast predicts that passwords will become obsolete: “Biometric data — facial definitions, retinal scans and voice files — will be composited through software to build your DNA unique online password,” the company’s SmarterPlanet blog (no relation!) said.
However, these possible advances also come with risks: As the New York Times reports, “The most serious problem with biometrics, said Tal Be’ery, a senior Web researcher at Imperva, is that ‘once your digital biometric signature is compromised, you cannot even replace it.’”
Steps toward change
Here are some of the ways that passwords are already evolving:
- Banks are already using voice recognition software to supplement your PIN.
- Google is promoting a two-step log-in process that uses both a password and a code sent to your phone.
- Smartphones may soon be able to recognize their owners with a retina scan. Dozens of police departments across the country already employ a smartphone-based retina scanning technology that can run suspects against a criminal database. It hasn’t yet become available commercially due to privacy concerns and its $3,000 price.
- Several U.S. banks ask their customers to identify themselves not only with a PIN but also by reciting a two-second phrase to a computer over the phone. Even with a phrase as simple as “at my bank,” a million customers’ versions will still be unique.
- Phones running the latest Android software will unlock when they recognize the owner’s face — and unfortunately, when someone else shows the phone a photo of the owner’s face.
The last example demonstrates some of the pitfalls of biometric information. For instance a system based on voice recognition could be easily duped with a recording of the owner’s voice.
Recognizing you the way your dog recognizes you
Because of these risks, the government’s Defense Advanced Research Projects Agency (Darpa) is looking into other forms of authentication based on behaviors including the way people type or make other hand gestures.
Darpa has invited security researchers to investigate the way people use machines so their identity can be verified every instant: “for example, how the user handles the mouse and how the user crafts written language in an e-mail or document,” it explains on its Web site.
The military has a keen interest in making sure devices remain secure: It could help protect sensitive information if, for instance, a soldier’s laptop falls into enemy hands.
Darpa program manager Richard Guidorizzi, in a press release, explains how this method differs from the current password format:
“My house key will get you into my house, but the dog in my living room knows you’re not me. No amount of holding up my key and saying you’re me is going to convince my dog you’re who you say you are. My dog knows you don’t look like me, smell like me or act like me. What we want out of this program is to find those things that are unique to you, and not some single aspect of computer security that an adversary can use to compromise your system.”
However, others, such as Nasir Memon, a professor at the Polytechnic Institute of New York University, say that people find biometric authentication systems such as retina scans “creepy.”
Memon is looking for friendlier ways of authenticating identity, such as signing one’s name on a small screen. He is also developing a technique that enables people to open an iPad by making an unlocking motion — specifically, “turning” an image of a large combination lock using all five fingers. (See the New York Times video of him demonstrating it here.)
Do you think these evolutions to the password will make authentication easier, less annoying and more secure than the current system? Or do you think they will be just as risky and irritating?
photo: IBM Research - Zurich