Cybersecurity breaches are now a regular headliner in today's news cycle. Behind the headlines, lies an unfortunate truth. Passwords are not the best way to secure online accounts. In fact, the 2014 Global Security Report from Trustwave found that weak passwords were a factor in 31 per cent of the breaches under investigation.
When you protect your personal or business accounts with a weak password or leave the default password in place, you're courting trouble and asking to get hacked. The good news is that there are several biometric options emerging to keep computer assets safe. And, as the technology gets easier and more reliable, consumers are increasingly willing to give them a try.
The future of authentication
Biometric technologies allow access based on unique and immutable characteristics about ourselves; ideally, characteristics that can't be stolen or easily faked. The goal with biometric security is to create an authentication system that provides more security, reliability and convenience for consumers than traditional passwords.
Although this may seem to be the stuff of spy movies, big businesses, academia, and even governments have been using biometric authentication like fingerprints, eye patterns, voice and even your heartbeat to authenticate users for years. And the race to secure the future of authentication is well on. Biometrics Research Group Inc. projects that the global biometrics market will grow to US$15 billion by 2015, up from its 2012 estimated value of US$7 billion.
Technologies to watch
Computer chip maker Qualcomm, which produces chipsets used by many Android smartphones, announced Snapdragon Sense ID at the 2015 edition of the Mobile World Congress, an annual gathering in Barcelona for tech and telecom leaders. Sense ID is a new type of sensor that uses sound waves to detect 3-D details of your fingerprint. The company says its new sensor can read fingers covered in sweat or lotion and can work on glass, steel, plastic and aluminum devices, giving more flexibility to device manufacturers.
Qualcomm's product is just one of several new developments in biometric security that technology companies have announced of late.
Also at MWC, Fujitsu demoed a prototype phone that uses Delta ID iris recognition technology called ActiveIRIS. According to Delta ID, it "makes the iris in our eyes a unique and secret 'password' that we never have to remember.
Chinese telecom equipment maker, ZTE, also wants users to say bye-bye to passwords and hello to eye-based biometric authentication. It debuted a retina scanner in its new ZTE Grand S3 smartphone. The Eyeprint ID technology, called EyeVerify, uses the phone's built-in camera to scan both eyes and then pattern match unique blood vessels in the eyes.
Chipmaker Intel unveiled TrueKey at the Consumer Electronics Show last January. TrueKey uses facial recognition, fingerprint scanning and other authentication methods to unlock a single master password that gives access to devices and online accounts.
Perhaps one of the most successful application of biometric security to consumer devices to date is Apple's Touch ID, a fingerprint-sensing technology for newer iPhones and iPads.
Touch ID was released in September 2013 on the iPhone 5S as an alternative to unlocking the phone with a passcode. Apple reported that before Touch ID was available, fewer than half of iPhone owners used a passcode. But now more than 83 per cent of iPhone 5s users use Touch ID to unlock their phones.
Touch ID also supports non-Apple apps, so people can now use their fingerprints to log in services, like Amazon, DropBox and password-manager app Keeper.
Microsoft is also getting in on the action adding support for the Fast Identity Online (Fido) standard to Windows 10 to enable password-free sign-on for a number of applications.
"Transitioning away from passwords and to a stronger form of identity is one of the great challenges that we face in online computing," said Dustin Ingalls, Windows security and identity programme manager at Microsoft, in an interview with ZDNet.
Fido supports biometrics such as face, voice, iris, and fingerprint or dongles. The standard is receiving support from major industry players, including Samsung, Visa, PayPal, RSA, MasterCard, Google, Lenovo, ARM, and Bank of America as well as Microsoft.
Apple's Touch ID system and the Microsoft-supported FIDO standard both offer another advantage over the password-based model: they are stored locally, which makes it much harder for hackers to crack an online trove and plunder millions of credentials as commonly happens now.
Securing Reliability and Trust
Still, it will be quite a while before the passwords are phased out completely. Biometric tech still has quite a drawbacks, and in spite of its many flaws, passwords remain far more reliable. If you type in your password correctly, it will work; no hassle, no worries.
Biometric security tools, in contrast, suffers from reliability issues. When Intel debuted its TrueKey service during a keynote address at the CES 2015, the program failed to recognise the presenter demoing it. Samsung's facial recognition software for its smartphones can easily be fooled. Even Apple's Touch ID, for all its success, still doesn't work well for everyone, failing if your fingers are moist or even cold.
Then there's the cost factor. Killing passwords won't come without a hefty price tag for consumers as well as corporate and cloud service providers. Phasing out existing security systems and introducing new ones will involve costly back-end and front-end technology replacements, integration, end-user training and other support costs.
Another key issue restraining widespread adoption of biometric security products is trust. Consumers must believe that the companies offering the biometric solutions are taking good care of all the biometric data they collect.
The string of high-profile cybersecurity breaches over the past few years makes it clear that consumers should not blindly trust that every company holding their biometric data will have appropriate systems in place to protect it.
"It's simply not safe to assume that the companies asking us for our biometric data are going to be any safer with that data than the companies currently storing our passwords," according to Stephen Lee, a senior cybersecurity expert with the Caribbean Network Operators Group, CaribNOG, and CEO of the US-based tech firm, ArkiTechs Inc.
"Making your mobile device or network more secure using biometrics, can have the totally unintended consequence of making you much more vulnerable to new avenues for identity hacking," Lee added, "Especially when protecting password data has already proven to be so difficult. If your password is compromised, at least you can change it. Good luck trying to change your iris pattern or thumbprints."
A more secure future?
There is little argument that passwords by themselves are an increasingly ineffective tool for securing our digital assets. By using something we are, rather than just something we know, biometric authentication technologies hold the promise of a more secure future.
However, that security comes at the high price of entrusting our valuable personal biodata to third-party vendors. The bottom line is none of these security technologies is a panacea for our digital security challenges: They all have vulnerabilities and therefore they all carry risks. But there is an even greater risk in believing that passwords by themselves with keep you or your precious data safe in the digital age.
Bevil Wooding is chief knowledge office at Congress WBN (C-WBN) an international non-profit organisation and executive director at BrightPath Foundation, responsible for C-WBN's technology education and outreach initiatives. Follow on Twitter: @bevilwooding
