The future of authentication: Biometrics, multi-factor, and co-dependency - Talk Mobile

Presented by Blackberry

Talk Mobile Security

The future of authentication: Biometrics, multi-factor, and co-dependency

by Rene Ritchie, Daniel Rubino, Kevin Michaluk, Phil Nickinson

For years, the password was as secure of a means of authentication as we needed. Unless you were in charge of nuclear codes, a basic password of maybe a dozen characters was enough. Problem is, as the power of our computers increased, so did the power of the computers used by the database hackers and code crackers.

Today your basic password takes mere minutes, if not seconds, to break through. A string of letters and numbers known by just you isn't enough to keep your accounts and devices secure. Anybody that offers guaranteed security is either lying to you or deceiving themselves about the strength of their systems.

In the future how are we supposed to keep all of our stuff safe and secure? Should we resort to the frustration of ever-changing two-factor authentication, or are our own biometrics the answer? Or can we use our devices to authenticate each other, creating a self-securing personal network?

Let's get the conversation started!

  1. 01. Kevin
    The glitchy hassle of multi-factor authentication


  1. 02. Phil
    In a world of biometric security, you are the password


  1. 03. Rene
    I can change my password; I can't change my eyeballs


  1. 04. Daniel
    My smartphone, my password


Future Authentication

Articles navigation

Kevin Michaluk

Kevin Michaluk CrackBerry

The glitchy hassle of multi-factor authentication

And that's just a single factor. A password. Something you know. These days, what with services getting hacked and devices getting lost or stolen, the trend is towards multi-factor. A token. Something you have.

You enter the something you know, the password, then an SMS message or an app generates a second code on something you have: the phone in your possession. That makes things way more secure, but it also makes them way more of a hassle.


The basis of multi-factor authentication is the multiple factors. There will almost always be a password or a PIN that remains constant - your baseline authentication standard. What makes it multi- (most often just two-step) is the addition of a second verification. That second verification can be pulled from a wide pool of sources. The most common is the secondary code, provided either via SMS to the account owner's mobile phone or directly through a secured authenticator mobile app. The idea being that your password can be hacked remotely, but getting the secondary code either requires a more extreme level of hacking of your mobile device, or the actual physical custody of said device. Other forms of multi-factor authentication involve the use of a dedicated code generator that is tied specifically to that account, a smartcard or USB token assigned to the user, or biometrics like iris or fingerprint scans. While a smartphone is convenient, that it communicates wirelessly to get the code opens a chink in the process. Disconnected physical devices and biometrics are much much harder to hack, at least remotely. But once you've lost physical security control, all bets are off anyway.

I, for one, use Google two-step authentication on my main Gmail account. After I enter my standard password, my phone is sent a text message with an unique authentication code that I then have to enter. As a person who travels a lot - logging in from different locations and computers and mobile devices - it can be a pain in the ass. There's nothing like being in New York and being asked for an SMS code that went to a phone sitting at home in Winnipeg.

There's nothing like being in New York and being asked for a code that went to a phone at home in Winnipeg.

More often than what can be deemed a minor inconvenience, there's an SMS code that's invalid, and it has to be requested again and again until one works. There's nothing like breaking or losing a phone, getting a replacement, and then trying to set up two-step authentication for Gmail, Dropbox, iTunes, and all the other stuff I use, again, from scratch.

I joke that I've made my accounts so secure even I can't get in, but it's really nothing to laugh about, especially for people who just need this stuff to work.

I don't turn it off because, overall, knowing I'm protected is worth it. But it's way too complicated and glitchy for way too many people. There's a reason I don't recommend it for the average person.

Make all the "first world problem" cracks you want, but as our phones become our ID cards and our wallets, as they start to authorize what we buy but authenticate who we are, the balance of security and convenience is critical. And we're just not there yet.

Michael Singer on educating end-users on security - Talk Mobile

You can put security layers in place, and they each have a chance at stopping something. But the end user, if they're fooled, can very quickly cut through all of them.

- Michael Singer / AVP Mobile, Cloud and Access Management Security at AT&T


Do you use multi-factor authentication for your accounts?




In a world of biometric security, you are the password

There's a move afoot to rid the world of passwords. Don't worry, they're not going to go anywhere anytime soon, but some smart folks are hard at work at figuring out something better. The simplest and perhaps most important place for passwords on a mobile device is the lock screen. It's the first and best line of defense in keeping your phone — and the data it holds — out of someone else's hands.

Traditional unlocking mechanisms have been used in all of the platforms, but Google was the first to toy with something different. Starting with Android 4.1 Ice Cream Sandwich, you could set your phone to unlock only when it sees your face. The feature was considered "experimental," which wasn't much consolation considering a printed photo of your face would work about as well as the real thing.

The iris scan

Commonly and mistakenly called a "retina scan", the eye-scanning technology that still seems to most to be the realm of near-science fiction is in fact an iris scan. Your iris - the colored part of your eye that controls the aperture to which your pupil is opened, and thus how much light reaches your retina on the back of your eyeball - has a unique pattern that can be mathematically defined. Unlike fingerprints, a human's iris cannot be altered without enduring significant injury.

Two systems are used to scan the retina: visible wavelengths and near infrared. Most scanners are of the near infrared variety, which works better with the dominant darker irides of humans. Visible wavelength scanners can reveal richer detail and are harder to fool thanks to the excitation of melanin in the iris, but are prone to interference from reflections. Researchers are exploring combining the two systems for enhanced accuracy.

While iris scanners can operate at up to a few meters distant with sufficient sensor resolution, their cost has proven to be prohibitive in widespread adoption. Iris scanners are used at all border entry points by the United Arab Emirates, in the US and Canada for the NEXUS low-risk air traveler program, at Google's data centers, and by a few municipal police departments around the world, including New York City.

But that does show you the direction things will be moving. We've seen an evolution of that technology that requires eyes to blink (try doing that with a photo). Or maybe it'll require you to smile or make a goofy face.

But what's more likely is that we'll see a combination of biometrics and traditional passwords. Your phone silently looks to see if you're the one trying to unlock it. If it recognizes your face — or maybe your voice, or maybe your fingerprint or subcutaneous capillary pattern through a sensor on the back of a phone or tablet — it skips a secondary password. If it's not sure, you'll be back to entering a PIN, swiping a pattern, or something more robust.

Biometrics have the same basic flaw of traditional passwords — they're a single point of failure.

We've seen biometrics in movies for decades. Fingerprints. Palm prints. Voice ID. Iris scans. They're in use in high-security areas today, for sure. We've had fingerprint scanners on a few phones before, but they've faded away after the feature failed to achieve must-have status. We've played around with facial recognition.

But biometrics in and of themselves have the same basic flaw of traditional passwords — they're a single point of failure. We'll see increased use, but it should always be in tandem with other security measures.


Would you be comfortable using biometric authentication?



Rene Ritchie iMORE

I can change my password; I can't change my eyeballs

"Voice print verified." It used to be the stuff of movies - back when computers were command-line, monitors glowed green, and even a short sequence of numbers were an almost uncrackable password.

Now Android verifies identity with your face. The Xbox One will listen for your voice, read your heartbeat, and even sense your mood. Apple's rumored to be building a fingerprint scanner into an iPhone.

Passwords were mostly things we knew - they could be forced or tricked from us, guessed, hacked, or otherwise compromised. At their best, they were gnarly strings of pseudo-random characters whose complexity, it was hoped, made them too difficult to be broken in a universe without quantum computing.

Now "passwords" can also be things we have. Never mind access cards, phones, or other dongles, they can be biometrics. They can be parts of our bodies.

How would we change our eyes, our thumbprint, or our capillary pattern, if that ever got compromised?

Thumb and iris scans are some of the most commonly seen, at least on TV and in movies. What happens if, or when, those are compromised? The imaginative folks in Hollywood have shown us everything from prosthetics to chopped-off hands and gouged-out... okay, this is getting grisly.

It seems like a week doesn't go by without some website or app announcing a breach and advising us to change our password. Changing a bunch of letters, numbers, and symbols is easy enough. How would we change our eyes, our thumbprint, or our capillary pattern, if that ever got compromised?

The answer seems to be not storing any actual biometric data that can be hacked, but storing something based on the biometric data that can't be reverse engineered, but could be changed to some other thing based on the same data if and when it's hacked.

Fingerprint busted

Like any form of authentication, fingerprint scanners are susceptible to fooling. The Discovery channel series Mythbusters tackled fooling fingerprint scanners in a 2006 episode. Hosts Kari Byron and Tory Belleci were tasked with tricking a fingerprint scanner into believing that they were fellow Mythbuster Grant Imahara.

After obtaining a clean copy of Imahara's fingerprint from a jewel CD case (despite his knowing about their mission and taking steps to clean up his fingerprints), Byron and Belleci made three copies of the fingerprint - one etched into latex, another made of Mythbusters favorite ballistics gel, and one merely of the pattern printed onto a piece of paper.

Tested against both an optical scanner and one that was touted to be "unbeatable" thanks to its ability to detect temperature, pulse rates, and skin conductivity, all three methods were able to fool the scanners when wetted with a lick. Even the paper.

Technology, well implemented, could mean this will never be a problem. But how often have we learned technology we thought well-implemented turned out to be no such thing? Is it even possible to make something reverse engineering-proof?

Science fiction is again becoming science fact, but the one thing that isn't changing is us. It's our responsibility to make sure that before we give over our irises and thumbs and skeletons, we make sure, to the limits of our ability to inform ourselves, that it's being done securely, and in a way that prevents any of our actual biometric data from being compromised even if the system and our informational data is.


Talk Mobile Survey: The state of mobile security

Daniel Rubino


My smartphone, my password

Probably one of the most creative uses for modern smartphones is their inclusion as an authentication token for other devices. That may sound weird at first, but when you think about it, it makes a lot of sense. After all, these are essentially networked mini-computers we are carrying around with us practically all the time, so why not put that computational power to work for security purposes?

Companies like Microsoft and Google have both jumped on this bandwagon recently with their two-factor authentication systems. By having an app on your phone (e.g. Authenticator by Microsoft), users can securely generate unique one-time passwords second level passwords to securely access their accounts. It's one extra step, but it's using hardware you'll have with you anyway.

It's one extra step, but it's using hardware you'll have with you anyway.

NFC (Near-field communication) is another potential technology that could be utilized for security purposes. It's not hard to imagine a scenario where you unlock your PC by tapping your smartphone against the computer (or even your car or home), making a brief and instant NFC-verification connection.

Interior access

For centuries, the tumbler lock has been the primary means to securing one's home. While there are deadbolts and security chains, the lock is the only one that you can access from the outside, and thus the one that is employed when you're away.

The lock is finally undergoing a revolution in the 21st century thanks to the advent of secure wireless technologies. The first implementations were with RFID chips, which the owner could carry on a card, their keychain (how quaint), or even as a small chip embedded in their arm (less quaint).

More recently, communicative locks have taken hold. The Kevo by Unikey and the recently-crowd-funded Lockitron systems are designed to work over Bluetooth 4.0 and Wi-Fi, allowing the owner to unlock the door by merely approaching it - even with their phone in their pocket or purse. A number of NFC door locks exist, and ShareKey Android app made by the Fraunhofer Institute allows compatible Android devices to unlock doors merely by touching their phone to the lock. ShareKey can even be used to grant temporary access to persons.

The only thing that seems to be holding this idea back are companies that still haven't embraced NFC - a technology which while impressive, may still not be ideal. NFC can't transfer much data itself - more often devices have to fall back to Bluetooth or Wi-Fi for more data, which means more complexity. There are some NFC security products out there, including door locks with integrated NFC.

While authenticating one device with another may prove to be less convenient than a one-pass security system, in 2013 such steps are increasingly becoming necessary to protect both your devices and the data that is stored on or accessible through them. Our bet (and hope) is that when the industry lands on a standard for multi-device authentication, e.g. using your smartphone to unlock your computer, these practices will quickly become the norm, or at least not unusual.

The biggest and most frustrating downside? Forgetting your smartphone at home may be even more anxiety-inducing than it is now.


Would you use your smartphone to secure your computer, home, or car?



The future of user authentication is almost surely to rely on the external. No longer will it be a string of characters used to verify your right to access the content, it'll be systems to verify that you are in fact who the password says you are.

Biometric authentication has been around for ages, from thumbprint scanners to iris verification and capillary scans (looking at the blood vessels under your skin). Today's devices, both mobile and stationary, are equipped with more sensors than ever before. It's not unreasonable to think that they'll be equipped with more scanners in the coming years and that those sensors will be able to verify our identities.

It's safe to assume that biometrics will be just one layer of a secured computing existence. Multi-factor authentication can be expected to play a bigger role as well, either through the service providing a unique second code to a second device for the user to enter, or the second device itself being the verification. Physical possession of the user's complete device ecosystem becomes consent.

Is there a better way? Are we compromising too much convenience in the name of security? Or will the criminals always just find a way?

Talk Mobile