So Long, Passwords: What Will it Take for Us To Entrust Our Security to Biometrics?

By Krissy Eliot

Passwords and humans are frenemies: We tolerate each other because we have to, but we seem to know that one will screw the other over sooner or later (as evidenced by the many security breaches of 2015). Managing our password portfolio is more maddening than ever, given that more than half of us have five or more unique passwords, and nearly a third of us have more than 10.

Little wonder a 2012 study revealed that 38 percent of us say we would rather scrub a toilet than create and remember yet another username or password.

In a desperate attempt to extricate the often-insecure numeric- and letter-based passwords from our lives, some have embraced biometrics. Apple added fingerprint authentication to the iPhone 6, Samsung deployed a facial recognition feature on its Galaxy smartphone, and Nuance began using voice alone for identification. But already these biometrics have proved themselves vulnerable, with hackers copying fingerprints and bypassing facial recognition by holding victims’ photos in front of the devices. And researchers warn that voice imitation is easy to master, especially because we frequently speak out loud in public.

Nonetheless, specialists are racing to improve these avant-garde technologies. As a result, market researchers predict that biometrics will soon be the new black, with half of us accessing mobile devices biometrically by 2020.

But do such predictions really mean much?

“So some people think biometrics are going to be widespread soon. Forgive me if I’m a little cynical, but I’ve been hearing this since the 1970s, and I’m still waiting,” said James Wayman, who invented biometric authentication based on acoustic resonance in the human head, a project he carried out for the U.S. Defense Department. Currently he is honorary professor of biometrics at the University of Kent in Canterbury, England.

Wayman cited studies from the 1970s, in which researchers forecasted that fingerprints would largely displace passwords by 1980, and voice and facial-feature recognition would be commonplace everywhere by 1985. Clearly, that didn’t happen—and the technology has been around for quite a while now.

For biometrics to truly dislodge passwords, a different approach is necessary to make them more secure. UC Berkeley School of Information professor John Chuang thinks a solution to this problem may lie in one-stop-shop biometrics—that is, multi-factor authentication achievable with one biometric passcode.

Chuang is known for his work with passthoughts, which allow people to put on a headset, picture specific thoughts in their minds, and unlock accounts using only their brains. What makes passthoughts different from a simple fingerprint or a face scan is that they encode a combination of both inherent electrical brain signals (the brain signature) and the specific thought a user imagines in his or her head.

“Traditional biometrics are difficult to change. They are one-factor authentication,” Chuang said. “Passthoughts involve both who you are (the brain that you have) and your secret that you choose to think while you’re performing the task.”

In essence, it’s very difficult for an attacker to mimic both the thought and the brain signature, especially when they’re recorded as one set of combined data. So in theory, biometric multi-factor authentication technologies such as passthoughts would be safer than the current one-factor biometric technologies.

To test this idea, Chuang did a study examining the possibility of an attacker successfully impersonating someone’s passthought, and he found impersonations were successful less than 5 percent of the time. Further research with more subjects is needed, but thus far the results are promising.

If you want to combine a traditional password with a biosignal to achieve true multi-factor authentication, brainwaves aren’t the only option. We could also use speech recognition technology that recognizes both the speakers’ voices and the passwords they’re saying. Typing technology is another alternative, in which a computer identifies someone’s unique typing patterns and password (something Coursera, a website for online schooling, is already implementing).

One of the most appealing things about one-stop-shop biometrics is that they don’t allow people to weaken the system by lazily relying on simple passwords that are easy to crack. It also eliminates the hassle of having to remember multiple passwords or go through too many steps to access an account.

Despite the pros, there are issues standing in the way of multi-factor biometrics. Passthoughts require a headset, which most people probably don’t want to wear to an ATM or to unlock a phone. Also, the current technology is still not affordable to the general public. The risks of storing sensitive unchangeable information, such as our brain signature or fingerprint, also need to be considered. History shows that hackers always find a way into the most secure systems—even the supposedly impenetrable highest levels of federal government.

Also, until recently, people outside the military or government organizations may not have grasped a need for biometric security. The trick to making these technologies popular in the private sector: Determine exactly where biometrics need to be used and how to make them as safe as possible, perhaps by storing fingerprints only on local devices that can’t be easily pilfered, or not deploying vocal recognition on machines such as ATMs in public spaces, where the speaker can be recorded. Even then, it all hinges on whether regular people think biometric security is worth their while.

“Fingerprint scanners were first placed on keyboards of personal computers in the 1990s. The technology has been around for 20 years, but you didn’t choose to buy it, and I didn’t either,” Wayman said. “So those fingerprint-scanning keyboards are still, in theory, available, but nobody really uses them. Because nobody figured out what they’d gain by using them.”

Perhaps one day multi-factor biometrics will become more reliable and popular, but until that day comes, traditional passwords rule—and humans must be extra careful about the secrets they entrust to their frenemies.

Share this article:
Google+ Reddit

Comments

Hello My name is A’Yahna I am interested in the AAS dual degree program. I’d be leaving CSU Eastbay with a BA in Sociology and a Doctorate in Educational Leadership. This degree will influence me to run for President. And since I am African American I feel this is a great start.
Yes it has been a journey testing password encryption…
Continue testing hackers vs. hackees.

Add new comment