The case against traditional passwords — and how biometrics can better secure us

The case against traditional passwords — and how biometrics can better secure us

Passwords have been around for millennia. Thousands of years before the advent of the computer, the Roman military would use what Polybius described as a watchword to distinguish ally from enemy. Similarly, during the Battle of Normandy, US paratroopers used constantly changing call-and-response passwords – flash would be responded to with thunder, for example — to establish friend from foe. 

The password entered computer science in 1960 thanks to Fernando Corbató, as a means of keeping files private. The Massachusetts Institute of Technology had developed a time-sharing system that all researchers had access to, however all files shared a common disk. To keep individual files private, a password was introduced and users could access only their own.

Source: SC Magazine

With the introduction of the internet, the popularity of the password soared as a straightforward but relatively effective means of keeping user accounts secure. Decades on, cybersecurity is still a challenge as data leaks and hacking attempts are more rife than ever. For many, the fact that we are still primarily using passwords as a means of protecting our sensitive data is an anachronism in dire need of addressing. 

Enter biometrics

This is where biometrics can make an impact – and, indeed, they already are. You can thank tech giants like Apple and Samsung for popularizing the technology, introducing fingerprint scanners some six years ago and slowly building functionality onto the technology. 

Initially, users could unlock their devices using their fingerprints. Today, banking apps grant access based on the information, and purchases can be made on app stores using no more than a print. 

On a very simple level, biometrics improve the user experience. Rather than having to remember passwords or draw patterns to unlock devices or perform other secure tasks, users can simply use fingerprints or facial recognition. 

Both are almost always quicker and more secure, serving as a brilliant example to users that the technology is nothing to fear and can improve their experience significantly. 

Some 89 percent of consumers are already familiar with biometrics in some form, with 55 percent using fingerprint recognition technology on a regular basis. This comes from the inclusion of fingerprint scanners on just about every major smartphone released in the last few years. 

With one tap, users can gain access to their devices in a way that is deemed so secure, that it can be used to authenticate payments. Many also now utilize facial recognition technology for even more seamless user identification, with the likes of Apple allowing users to pay using only their faces. 

Passwords are a weak link for both user security and company efficiency. For most people, the notion of having the same password for every account they hold is too dangerous — password theft is rife and any breach would be best contained to a single account. On the other hand, remembering multiple different passwords across the myriad accounts we hold in 2019 is also imperfect. 

For customers, it’s a headache, while for corporations it can be an expensive waste of time. 

According to CNN, Microsoft spends $2 million a month on help desk calls from people who want to change their passwords. According to a 2017 report from VISA, some 61 percent of respondents have multiple passwords across their different accounts, making the problem a significant one. When asked why they had abandoned an online purchase in the past, half of the respondents cited not being able to remember a password as a reason. 

Source: Google Blog

Abdulaziz Alzubaidi has a PhD in engineering with a focus on security and is currently a faculty member at Umm Al-Qura University. For him, biometrics are the future of authentication and the humble password may be due retirement. 

“When we talk about biometrics, we should consider both types of biometrics; physiological and behavioral,” Abdulaziz told Binary District Journal. 

“Modern devices support physiological biometrics such as fingerprint and face recognition. Although these biometrics have a few limitations, they should be used as an authentication method, since traditional methods like entering a PIN or drawing a pattern are vulnerable to simple exploits like shoulder surfing attacks, which allow anyone to gain device access. In my opinion, I see biometrics having a high possibility of replacing traditional authentication methods.

“Imagine this scenario, your device has been used by a friend or even a family member, who knows your password for your device and online bank. He/she can easily access the device and log in to your account, even if he/she uses multi-factor authentication. This simple scenario shows that traditional authentication methods can increase the security issue for anyone. It is not only for banking but for any available app on your device, like social apps, emails etc., so biometrics are more secure when we compare them with the password method.”

Managing resistance to change

User experience is important here, though. If relying on fingerprint scanning alone is too porous, developers should consider other methods of authentication before adding more biometric hoops to jump through. 

No one wants to have to scan their thumb and their face while speaking into their phones just to access their mobile banking.  

Equally, some people may not be comfortable with using a fingerprint scanner at all, particularly if they are being asked to provide that information just to access a social media account. 

What will be important is customization. Developers will have to offer users different options and make the security implications of those options clear, much in the same way that some websites offer two-stage authentication but don’t make it compulsory.  

If a banking app can be opened with one a fingerprint, great, but some users will feel more comfortable adding a password and an iris scan to the process, once the latter becomes sophisticated enough. 

In terms of security, pivoting to biometrics may well throw up just as many questions as it does answers.

Crucially, passwords can be changed if stolen. If a hacker finds a way of breaching biometric authentication, the implications for the user’s multiple accounts and devices would be huge – it’s a lot less simple to change your fingerprints or your face. 

There have also been cases of hackers gaining access using a picture of a user’s face. This could mean that multi-stage authentication will still be necessary, nullifying the seamlessness that makes biometrics so appealing in the first instance.

Just be yourself

The next step in customized authentication is behavioral biometrics. This is biometrics not based on physical identifiers like fingerprints or scans of the iris, but rather the analysis of a user’s behavior to determine their identity.

Going far beyond technologies like voice and signatures, behavioral biometrics can focus on anything from finger movements to hand tremors and hand-eye coordination.

It can even be determined how well the user knows the information they are being asked to submit, or how familiar they are with the app they’re trying to gain access to.

“Recent research has proved that behavioral biometrics have the potential to identify a smartphone owner with high accuracy,” Abdulaziz says.

“Most of these studies use different approaches like touchscreen, keystroke, gait, behavioral profiling etc., and show each subject has a unique identity. Behavioral biometrics does not need more sensors, so the cost of building any device will not increase.

“The main points that we need to consider are time to train, size of data, and where should be trained. Addressing these points will lead behavioral biometrics to be one of the important biometrics, in my opinion, not only in smartphones but to most smart devices.”

Behavioral biometrics, if successfully deployed, will solve problems that other forms of cybersecurity have faced throughout their existence.

One major positive is that it is a passive form of identification – users need not change their behavior at all to access their devices – in fact, quite the opposite.

They can also be deployed throughout the session in the background, meaning gaining access won’t give hackers carte blanche to exploit a user’s account.

As with all authentication methods, accuracy will be paramount. There are a number of companies – see NuData, BehavioSec or Invisible Challenges, for example – working on building behavioral biometrics solutions, while UK bank NatWest has shown interest in utilizing the technology to prevent fraud in real time.

Getting to a workable degree of accuracy will involve machine learning and even deep learning, while a large degree of drip-feeding will be needed to encourage a typically skeptical public to trust the technology.

If the success of fingerprint ID for smartphones can be taken as a marker, then biometrics will be welcomed by users.

The technology is an easy sell, and any discomfort around tech companies holding your fingerprint data will be offset by how clearly preferable Face ID is to a password when it comes to keeping a bank account secure.

There will be teething problems – hacks will make headlines and some will be uncomfortable with the technology – but ultimately the password appears doomed in the face of a truly 21st century alternative.

This post was written by Margarita Khartanovich for Binary District, an international collaborative technology community which creates unique competency-based workshops and events on new technologies. Follow them down here:

Read next: WhatsApp bug allowed hackers to steal files and messages with GIFs