The future of authentication: Biometrics, multi-factor, and co-dependency
by Rene Ritchie, Daniel Rubino, Kevin Michaluk, Phil Nickinson
For years, the password was as secure of a means of authentication as we needed. Unless you were in charge of nuclear codes, a basic password of maybe a dozen characters was enough. Problem is, as the power of our computers increased, so did the power of the computers used by the database hackers and code crackers.
Today your basic password takes mere minutes, if not seconds, to break through. A string of letters and numbers known by just you isn't enough to keep your accounts and devices secure. Anybody that offers guaranteed security is either lying to you or deceiving themselves about the strength of their systems.
In the future how are we supposed to keep all of our stuff safe and secure? Should we resort to the frustration of ever-changing two-factor authentication, or are our own biometrics the answer? Or can we use our devices to authenticate each other, creating a self-securing personal network?
There’s a constant battle going on in all of our lives between security and convenience. Having long, 64-character pseudo-random passwords on mobile would be really secure, but the mere thought of trying to remember and enter one on a mobile device, especially a new mobile device with only a touchscreen, makes me want to cry.
And that’s just a single factor. A password. Something you know. These days, what with services getting hacked and devices getting lost or stolen, the trend is towards multi-factor. A token. Something you have.
You enter the something you know, the password, then an SMS message or an app generates a second code on something you have: the phone in your possession. That makes things way more secure, but it also makes them way more of a hassle.
I, for one, use Google two-step authentication on my main Gmail account. After I enter my standard password, my phone is sent a text message with an unique authentication code that I then have to enter. As a person who travels a lot - logging in from different locations and computers and mobile devices - it can be a pain in the ass. There’s nothing like being in New York and being asked for an SMS code that went to a phone sitting at home in Winnipeg.
There’s nothing like being in New York and being asked for a code that went to a phone at home in Winnipeg.
More often than what can be deemed a minor inconvenience, there's an SMS code that’s invalid, and it has to be requested again and again until one works. There’s nothing like breaking or losing a phone, getting a replacement, and then trying to set up two-step authentication for Gmail, Dropbox, iTunes, and all the other stuff I use, again, from scratch.
I joke that I’ve made my accounts so secure even I can’t get in, but it’s really nothing to laugh about, especially for people who just need this stuff to work.
I don’t turn it off because, overall, knowing I’m protected is worth it. But it’s way too complicated and glitchy for way too many people. There's a reason I don't recommend it for the average person.
Make all the "first world problem" cracks you want, but as our phones become our ID cards and our wallets, as they start to authorize what we buy but authenticate who we are, the balance of security and convenience is critical. And we’re just not there yet.
You can put security layers in place, and they each have a chance at stopping something. But the end user, if they're fooled, can very quickly cut through all of them.
- Michael Singer / AVP Mobile, Cloud and Access Management Security at AT&T
Phil NickinsonANDROID CENTRAL
In a world of biometric security, you are the password
There’s a move afoot to rid the world of passwords. Don’t worry, they’re not going to go anywhere anytime soon, but some smart folks are hard at work at figuring out something better. The simplest and perhaps most important place for passwords on a mobile device is the lock screen. It’s the first and best line of defense in keeping your phone — and the data it holds — out of someone else’s hands.
Traditional unlocking mechanisms have been used in all of the platforms, but Google was the first to toy with something different. Starting with Android 4.1 Ice Cream Sandwich, you could set your phone to unlock only when it sees your face. The feature was considered “experimental,” which wasn’t much consolation considering a printed photo of your face would work about as well as the real thing.
But that does show you the direction things will be moving. We’ve seen an evolution of that technology that requires eyes to blink (try doing that with a photo). Or maybe it’ll require you to smile or make a goofy face.
But what’s more likely is that we’ll see a combination of biometrics and traditional passwords. Your phone silently looks to see if you’re the one trying to unlock it. If it recognizes your face — or maybe your voice, or maybe your fingerprint or subcutaneous capillary pattern through a sensor on the back of a phone or tablet — it skips a secondary password. If it’s not sure, you’ll be back to entering a PIN, swiping a pattern, or something more robust.
Biometrics have the same basic flaw of traditional passwords — they’re a single point of failure.
We’ve seen biometrics in movies for decades. Fingerprints. Palm prints. Voice ID. Iris scans. They’re in use in high-security areas today, for sure. We’ve had fingerprint scanners on a few phones before, but they've faded away after the feature failed to achieve must-have status. We’ve played around with facial recognition.
But biometrics in and of themselves have the same basic flaw of traditional passwords — they’re a single point of failure. We’ll see increased use, but it should always be in tandem with other security measures.
I can change my password; I can’t change my eyeballs
"Voice print verified." It used to be the stuff of movies - back when computers were command-line, monitors glowed green, and even a short sequence of numbers were an almost uncrackable password.
Now Android verifies identity with your face. The Xbox One will listen for your voice, read your heartbeat, and even sense your mood. Apple's rumored to be building a fingerprint scanner into an iPhone.
Passwords were mostly things we knew - they could be forced or tricked from us, guessed, hacked, or otherwise compromised. At their best, they were gnarly strings of pseudo-random characters whose complexity, it was hoped, made them too difficult to be broken in a universe without quantum computing.
Now “passwords” can also be things we have. Never mind access cards, phones, or other dongles, they can be biometrics. They can be parts of our bodies.
How would we change our eyes, our thumbprint, or our capillary pattern, if that ever got compromised?
Thumb and iris scans are some of the most commonly seen, at least on TV and in movies. What happens if, or when, those are compromised? The imaginative folks in Hollywood have shown us everything from prosthetics to chopped-off hands and gouged-out... okay, this is getting grisly.
It seems like a week doesn’t go by without some website or app announcing a breach and advising us to change our password. Changing a bunch of letters, numbers, and symbols is easy enough. How would we change our eyes, our thumbprint, or our capillary pattern, if that ever got compromised?
The answer seems to be not storing any actual biometric data that can be hacked, but storing something based on the biometric data that can’t be reverse engineered, but could be changed to some other thing based on the same data if and when it’s hacked.
Technology, well implemented, could mean this will never be a problem. But how often have we learned technology we thought well-implemented turned out to be no such thing? Is it even possible to make something reverse engineering-proof?
Science fiction is again becoming science fact, but the one thing that isn’t changing is us. It’s our responsibility to make sure that before we give over our irises and thumbs and skeletons, we make sure, to the limits of our ability to inform ourselves, that it’s being done securely, and in a way that prevents any of our actual biometric data from being compromised even if the system and our informational data is.
Daniel RubinoWINDOWS PHONE CENTRAL
My smartphone, my password
Probably one of the most creative uses for modern smartphones is their inclusion as an authentication token for other devices. That may sound weird at first, but when you think about it, it makes a lot of sense. After all, these are essentially networked mini-computers we are carrying around with us practically all the time, so why not put that computational power to work for security purposes?
Companies like Microsoft and Google have both jumped on this bandwagon recently with their two-factor authentication systems. By having an app on your phone (e.g. Authenticator by Microsoft), users can securely generate unique one-time passwords second level passwords to securely access their accounts. It's one extra step, but it's using hardware you'll have with you anyway.
It's one extra step, but it's using hardware you'll have with you anyway.
NFC (Near-field communication) is another potential technology that could be utilized for security purposes. It’s not hard to imagine a scenario where you unlock your PC by tapping your smartphone against the computer (or even your car or home), making a brief and instant NFC-verification connection.
The only thing that seems to be holding this idea back are companies that still haven’t embraced NFC - a technology which while impressive, may still not be ideal. NFC can't transfer much data itself - more often devices have to fall back to Bluetooth or Wi-Fi for more data, which means more complexity. There are some NFC security products out there, including door locks with integrated NFC.
While authenticating one device with another may prove to be less convenient than a one-pass security system, in 2013 such steps are increasingly becoming necessary to protect both your devices and the data that is stored on or accessible through them. Our bet (and hope) is that when the industry lands on a standard for multi-device authentication, e.g. using your smartphone to unlock your computer, these practices will quickly become the norm, or at least not unusual.
The biggest and most frustrating downside? Forgetting your smartphone at home may be even more anxiety-inducing than it is now.
The future of user authentication is almost surely to rely on the external. No longer will it be a string of characters used to verify your right to access the content, it'll be systems to verify that you are in fact who the password says you are.
Biometric authentication has been around for ages, from thumbprint scanners to iris verification and capillary scans (looking at the blood vessels under your skin). Today's devices, both mobile and stationary, are equipped with more sensors than ever before. It's not unreasonable to think that they'll be equipped with more scanners in the coming years and that those sensors will be able to verify our identities.
It's safe to assume that biometrics will be just one layer of a secured computing existence. Multi-factor authentication can be expected to play a bigger role as well, either through the service providing a unique second code to a second device for the user to enter, or the second device itself being the verification. Physical possession of the user's complete device ecosystem becomes consent.
Is there a better way? Are we compromising too much convenience in the name of security? Or will the criminals always just find a way?