Introduction and passwords
Could one of the most hated aspects of the internet – the alphanumeric password – soon be replaced? A revolution that's going to start with the fingerprint scanners already in high-end smartphones, the shift from passwords to biometrics will mean the popularising of voice authentication, facial recognition, ear-print authentication, retina scans and more.
All of that will require new hardware, such as fingerprint scanners, though since most high-end smartphones now come with fingerprint scanners built-in, expect a swathe of apps. In fact, Juniper Research predicts that over 770 million biometric authentication apps will be downloaded each year by 2019, up from just six million this year. In short, the days of alphanumeric passwords in the smartphone market appear to be numbered.
Do people want to use biometrics?
Whether the introduction of fingerprint scanners in banks, in shops and on desktops happens quickly en masse is doubtful – it's expensive technology to introduce on a massive scale – but there is a demand for something other than passwords.
A report in January by Visa Europe revealed that three-quarters of 16 to 24-year-olds would feel comfortable using biometric security, 69% believe it will be faster and easier than passwords and PINs, and half of young people foresee the death of passwords by 2020. This so-called Generation Z is also the demographic that has the most liberal attitudes to passwords; over a third have shared their debit or credit card PIN number with someone else.
"We have more logins and passwords than ever to help keep us secure online and on the high street, but for Gen Z it just feels like an unnecessary burden," says Jonathan Vaux, Executive Director at Visa Europe, who challenged banks to quicken the pace of development on biometrics.
"Consumers are keen to shun passwords entirely in favour of biometrics as an easy and secure way to keep their data safe," adds Silvio Kutic, CEO of mobile services and SMS messaging provider Infobip.
Is the alphanumeric password dead?
So biometrics will be welcomed, but does that necessarily mean the death of the password? "Not in the slightest," says François Amigorena, CEO of infrastructure and security management solutions software company IS Decisions, whose customers include the FBI, the United Nations and Barclays.
"Passwords are still the primary security method used the world over, but like any good security practice, they shouldn't be used in isolation … biometrics is another security layer that, when coupled with passwords, provides a layered wall of protection."
Not everyone is so forgiving. "The traditional password, if not dead, should be killed," says TK Keanini, CTO at network visibility and security intelligence company Lancope. "Proactively, we should all demand better and more modern methods of authentication – the inherent problem is that human memory has limits that will always keep this type of password weaker than other methods."
Why computers love passwords
Humans might hate passwords, but computers love them; there is only one correct answer. "With biometrics, there is no 'right' answer – it's impossible to be 100% accurate with a fingerprint measurement, there are only degrees of accuracy – is this 99% likely a match, or 95%?" says Garrett Bekker, Senior Analyst, Information Security at 451 Research. "How do you define the acceptable threshold of accuracy? Do you set the threshold at 99% and risk rejecting users incorrectly?"
IT staff also love passwords. "Old habits die hard in security … passwords are relatively inexpensive and most people are familiar with them," Bekker observes. "It will take years to replace them." He doesn't buy the 'convenience' claim for biometrics, either, stating that, "the stronger and more secure (authentication technology is), the more expensive and inconvenient it is to use."
He also points out that using a fingerprint scanner outside in the winter while wearing gloves wouldn't be easy, and nor would a voice authentication system cope well if you had a sore throat.
Biometrics usage and challenges
Where will biometrics be used first?
"Biometrics have enjoyed explosive growth in Asia and it won't be long before it becomes the norm in Britain where novelty, combined with increased security benefits, mean it will have instant appeal," says Ron Kalifa, Deputy Chairman of Worldpay. "All it will take is the adoption by one major bank or retailer to reach the tipping point."
Could that tipping point come from Apple? By combining its exclusive Touch ID authentication technology with tokenisation in NFC payments, Apple Pay could be the catalyst for a flood of biometric applications based on the fingerprint scanners in smartphones.
"With a service like Apple Pay the user is able to choose exactly how they authorise payments, be it a passcode or through biometrics," says Chris Wade, Head of Strategy and Product Management at payment solutions provider Sage Pay. "Even if the device is lost, the data cannot be accessed, thanks to Apple Pay's biometric capabilities. As an added layer of security, Apple Pay also employs tokenisation of the card details through the merchant's POS solution."
The standards governing this technology are actually pretty fluid – Apple will use the fingerprint scanner in the iPhone, but other smartphone manufacturers are free to use, say, facial recognition as the method of identification.
Banking and payments is the obvious first step for biometrics; Hitachi's finger vein ID hardware is being used in Europe and also by Barclays in the UK. Finger vein biometrics is the scanning of the unique structure of blood vessels inside fingers, which keeps the biometric info private. The tech is being trialled at ATMs, branches and for internet banking payments.
What challenges does biometrics bring to IT?
Biometrics isn't cheap, it's a big project to roll-out, and it's by no means fool-proof. "For the IT department specifically, biometrics is an extra security measure they have to manage on top of the growing trends of cloud, mobility, social media, BYOD and more," says Amigorena. "Many IT departments' resources are stretched as they are, so they'll have to find a way to become more efficient to be able to accommodate the new technology."
Keanini thinks that the bigger problem is spreading the word. "The big challenge for IT is making sure there is vendor support in the infrastructure for enterprise-wide biometric multi-factor authentication. Things are better but so many services are still without this support."
Biometrics could also save IT staff time. "The cost of support increases with user ID and password complexity as IT support staff may need to spend extra time dealing with authentication problems," says Dr. Kevin Curran, Senior Member of the IEEE, "such as helping staff reset passwords that are locked after a certain number of failed entry attempts."
Will voice authentication follow?
Absolutely, starting with banks. "Voice biometrics can form a key part of strong triple-factor authentication which cannot be replicated," says Seb Reeve, Nuance's director of product management. "Banks are able to combine something unique to the individual – their voice print – with something they know, such as a set phrase or question, and an identifier based on a device or IP address, to offer very robust security."
No authentication technology is infallible, but voice biometrics are "immune to large-scale security breaches" says Reeve. "Real-world deployment of voice biometrics has shown that authentication success rates tend to be 95-99% despite all of the environmental and personal conditions that exist in everyday life, such as noise and illness," he says. "These success rates are far higher than the existing technologies and there is always an option to pass identity and verification to a human agent if the voice print isn't identified straight away."
Security considerations
How secure are biometrics?
Not completely – it's not an easy task. "People's faces change over time so facial recognition must be able to account for that," says Amigorena. "But ears are strangely consistent in that they don't change shape with age or different facial expressions."
There are other 'sources of potential error', too. "Voice has to be measured against both the ambient background … fingerprints taken when the finger is flat will be different when misaligned, wet, dirty or practically frozen (and) facial characteristics checked with glasses will be different with sunglasses, no glasses, and colour of the ambient light," says Curran.
The possibility of such errors means that biometrics algorithms build in to their calculations both 'false acceptance' and 'false rejection'. "If this is not managed and measured properly, it can lead to a bad user experience which has been a problem with commercialisation of such technologies in the past decade as they seek to achieve the elusive 100% accuracy rate." The elusive 'bond of trust' is the objective.
"Android introduced facial recognition to unlock phones, but it was easily subverted with a picture of the subject – such as from their social network accounts – and so was updated to require blinking," says Dr Dave Chismon, security consultant for MWR Infosecurity. "This could still be fooled by a video or photo made to appear to blink. As such, Android indicates that this mechanism is low security."
"If hackers develop ways to bypass biometric security, and this is all that stands between them and a wealth of personal data, then the solution is no better than existing passwords," says Kutic, who thinks that one layer of security is never enough.
"Multi-factor authentication such as SMS-based 2FA can add a much needed extra level without impacting user experience," he says. "It requires no more than a mobile phone of any type or generation to add this extra layer of security through global SMS connectivity to deliver one-time PINs."
Can biometrics be hacked?
Yes – as proved recently when Jan Krissler used photos of German Defence Minister Ursula von der Leyen's fingers to reverse-engineer her fingerprints. "Unlike passwords, biometric data that has been stolen cannot be changed – you cannot replace your stolen fingerprints with a new set," says Guillaume Desnoes, Head of European Markets at password manager software firm Dashlane, who calls biometrics an "unlikely successor" to passwords. "Even worse, if all of your accounts were protected by the same stolen biometric information, they would all become vulnerable simultaneously."
Passwords are easy to forget, far too numerous, and getting more complicated; there's a growing need for multiple layers of security. But are biometrics the answer? Unproven, untested and certainly not immune from security breaches, biometrics have potential to be a part of future security systems, but no single technique will dominate.
The answer is multimodal-biometrics, where a system will use a list that could include "finger, face, retinal scan, iris, gait, vein infrared thermogram, hand geometry and palm print, or a combination of all these identifiers," says Curran. "Full three factor authentication, when combined with a device ID, allows enterprises to easily combine 'what we have' and 'what we know' with the all-important 'who we are', thereby integrating a core benefit to future security systems," he adds.
Will we soon be logging on to Facebook on our phones or getting past company security using our face? Probably, but sometimes it's also going to scan our eyes, take a thumbprint and, yes, ask us for a password, too.
The password is dying: identity management in the modern age