Passwords are an everyday phenomena. We rely on passwords to gain access to many difference systems and resources, from our computers to our coffee shop loyalty cards and everything in between. However, password and PIN codes are not especially secure. They’re also easily compromised or forgotten and we have seen an entire cottage industry rapidly based around simplifying how we deal with passwords rapidly maturing. Many of these businesses are component suppliers to handset and tablet manufacturers and some will wind up becoming a part a larger business in due course.
The technologies used to simplify controlling access include biometrics, that is, using a unique and machine recognizable part of our body to verify our identity. This may include fingerprints, retinas, our face and voices. Many companies are working on bringing biometrics further into mainstream markets. The intention behind these devices is to remove the reliance on passwords and we may end up using our bodies as our passwords, just as we have seen in science fiction for decades. However, there are question marks over how secure biometrics really are compared with a traditional password.
By way of an example, we’ve already seen smartphone and tablets released with a fingerprint scanner. The technology is cute and easier to use than a PIN code. However, the fingerprint may be copied with enough time, effort and technology. Worse is that if a fingerprint is compromised, it is impossible to change: at the present time, fingerprint scanner technology is best used as a second layer of protection at the local side of an arrangement. In other words, it’ll unlock actions for that device only, but the information won’t be copied back to a broader use account.
There are other biometric technologies being developed for consumer level devices. We’ve seen futuristic retina or iris scanners being showcased this year at the MWC. And many of the larger technology companies are providing support for such technology in current and next generation operating systems, such as Microsoft, Google and Apple. They’re being met in the middle by a number of wearable devices, from smartwatches to fitness bands to smart dresses. Many of the existing wearables are acquiring more and more sensors in order to monitor us and this information could conceivably be used to help with our identification. This is very much an Internet of Things ideal, but it’s a novel way of reaffirming who we are and reducing the need to type in a password: it turns out that our heartbeat rhythm is just as unique as our fingerprint but far harder to duplicate. This is not as “beam me up, Scotty!” as you might think: Canadian company Bionym is working on their Nymi Band, currently in trials with a British bank.
The ideas are there and the technology is being developed, but what of the downsides? Password and access control systems are only as strong as the weakest link: there has to be some form of password recovery system in place. Currently, this often takes the form of an emailed link to reset a password and this needs to be secure, too. What happens if you lose your heartbeat band? Or if it is stolen by a stranger? Or what happens if a criminal tries to gain access to your account via the back door, that is, by stealing your account password using your recovery system? Once your account is compromised, the fingerprint and iris scans could be replaced with somebody else’s information and before we can whisper iCloud, your personal information is compromised.
Any change to how we manage our security will take years to arrive and for the time being, it seems that our current password security is going to continue to adopt another layer rather than a radical change. We’ll be able to use our fingerprint, voice, retina or heartbeat machine to help aid in our identification, backed up by a password or email link process. We’re going to continue to need a way of confirming our identity, which may still rely on having a code mailed to our verified home address. It will likely take some time before behavioral biometric systems provide a viable identification system and until then, our data is just as vulnerable. As consumers, we need to be mindful that the promise of a super-secure device with our fingerprint is glossily painted over the same secondary, back door, security systems.