More Passwords, More Problems: A Look into Biometric Authentication
What’s your password? Studies show that you likely use more than 15 different passwords, but more than half of you admit to using a weak password. So how do companies fare with inconsistent password usage and standardization? Even companies with incredible security practices can become vulnerable due to a forgetful employee who leaves their password on a sticky note under their mouse pad, or someone using the incredibly hard to crack password “password”. Hackers are becoming more adept, and as a result, companies must improve their digital security.
While technology has continued to improve, things like the traditional QWERTY keyboard have not changed in decades. Passwords are becoming clunky, laborious things that must be carried in the memory of the user and while two-factor authentication assist in ease, it is typically just a different combination of characters that takes up more time.
We get questions from our clients all of the time: How can we improve our own security? In light of data breaches at eBay (145 million users), Adobe (36 million users), JP Morgan Chase (76 million users), and many, many others – passwords have been at the forefront of the security discussion. Let’s take a moment to look at the future of password and identity protection, and what implications that may have on security.
The Pros and Cons of Biometric Identification
Fingerprint biometrics have gained incredible popularity since Apple unleashed it on the iPhone-using masses (94 million people use an iPhone), but they aren’t the only ones using the technology. Android mobile devices have also adopted the technology, and it is anticipated that approximately 50% of all mobile devices will move towards this technology by 2019. But how secure is the convenient, unforgettable, unduplicatable security? Maybe not as secure as you’d think.
With some technology companies leaving fingerprint data unencrypted, hackers are suddenly able to access print images remotely at a large scale. Phone hackers aside, what happens if your fingerprint data at a government agency is breached and suddenly anyone has access to your prints? You can’t exactly change your prints once they have been compromised, and experts have suggested that a simply high resolution photo of your fingers could be enough to gain entry to fingerprint-protected devices.
If we recognize each other through our faces, why can’t our technology learn to do it as well? Some credit card companies were even considering the complete removal of credit cards and moving wholly to facial recognition software.
However easy this technology would make our lives, it is unfortunately one of the least reliable and efficient technologies available at this time for personal identification purposes. A simple tilt in the head angle can throw off the technology, as can sunglasses, a change in hair, items obscuring the face and skin color, to name a few. Outside of the current technological hurdles, hackers are able to trick facial recognition through use of high-quality photographs, similar looking people and the hacking of the entire system.
In every science fiction movie, there’s a retina scan that unlocks a door. But it may not be just science fiction anymore. Citibank is currently working with partners EyeLock LLC and Diebold in order to develop a card-less, screen-less, self-service ATM. All transactions occur on the mobile phone using near field communication or QR code technology, while the customer is authenticated using the EyeLock iris sensor.
In a similar vein, Microsoft recently released two phones featuring iris scanning authentication. But what are the risks of the new technology? The systems are often fooled by a high-quality image of the eye, making it an easy target for hackers. Until live-tissue verification exists for all of the technologies previously mentioned, it will continue to be easily tricked by hackers with replicated imagery.
Voice command opens up a hands-free universe where logging into anything is as easy as a few simple words. One of the benefits is that authentication over the phone allows for remote authentication. But how long until a cybercriminal gets you on the phone, talking, to remotely unlock your account for them without your knowledge?
Voice command has other limitations. For example, users may not want to share their actions with those on the bus or in a quiet office. Or, consider struggling to log into an account at a loud rock show. In addition, vocal recordings are able to fool some of the more basic voice biometrics machines.
Where do we go from here?
The options aren’t all bad, but all pose their own risks. But what if you could combine any or all of those authentication factors? Combining factors allows for certain identifiers to be used in certain situations. For example, fingerprint and voice authentication when unlocking your vehicle – use fingerprint when you have your hands free and voice when you have your hands full.
The ability to pick factors that work for your lifestyle and the potential risk offers a glut of opportunity for information security experts to improve data security. Because we would all be better off in a world where the easy account reset questions no longer exist.