Loki, the Norse god of mischief himself makes the effort to go to Germany to probe someone’s eye in order to get the iridium meteorite needed to make his plan work. That’s how secure biometrics-based security can be compared to conventional password-based security. The human eye’s retina, the fingerprint and the human voice (and if you’re in Britain, the shape of the ear) have their own uniqueness that can’t be duplicated which can be exploited for purposes of security, unlike today’s passwords and pins which seem more and more vulnerable to hacking every passing day with or without encryption. Through biometrics and token-based security, will the world be better off without passwords?
It seems that every day there’s news of important establishments, government or private, getting hacked despite alleged high levels of security. The latest of which is the Office of Personnel Management where the information of 1.9 million federal employees were stolen and password management site LastPass where thousands of accounts were hacked. The situation only seems to get worse as hackers seem to get more and more talented or security administrators get lazier and lazier or security systems get more and more perforated.
Because of this, giant tech companies have launched a campaign to end the use of passwords as tools for security. Apple and Samsung have already made use of fingerprint technology to unlock their phones and certain apps. Microsoft will soon follow suit and even took one step further with Windows 10’s Windows Hello to include voice recognition as well as better facial recognition, courtesy of Intel’s RealSense technology. Such campaigns have made biometrics technologies more in demand and soon affordable. Now the government, particularly the National Institute of Standards and Technology (NSIT) has joined in the campaign when it gained membership into the FIDO (Fast Identity Online) Alliance to help in the development of stronger online security.
“As part of our ongoing effort to move the world away from passwords and to stronger forms of authentication, the FIDO Alliance is broadening its membership classes to include a FIDO Government Class membership. This will enable governments around the world to contribute their unique needs and perspectives to the next developments in FIDO standards…We welcome our first government members and look forward to increased participation in this new membership class. We look forward to working with them to develop universal standards for strong authentication that are more secure, private, and easier-to-use than passwords.”
–Dustin Ingalls, president of the FIDO Alliance.
The FIDO Alliance clearly states they intend to make passwords a thing of the past as there are other secure ways of authentication such as biometrics, hardware dongles or wireless tokens. Passwords are vulnerable to brute force hacking, phishing and even simple guesswork. Passwords are a real chore to remember and maintain especially for establishments that regularly enforce rotation and hard to remember mixed characters (a REAL chore).
As yours truly said in a previous article, most people today have at least three accounts on the internet and maybe just about the same number of ATM and credit card PINs. It would be convenient to keep just one precious PIN or password to rule them all. However, every office, store or internet site has its own password rules that the blasted thing should be more than eight characters, have at least one uppercase letter, yadda, yadda, yadda… Keeping one master password for everything if possible, is also unsafe as it opens all your accounts in just one hack. In order to keep track of all user names and passwords, we’d need a password manager, pen and paper, keep them in smartphone notes or just trust the good old noggin, which can be a problem if you have ten or more existing accounts. For some, if not most people, password management is a tedious process and many do it grudgingly settling for easy to guess aberrations like ‘P@ssw0rd’, ‘Trustn01’, ‘M@y101975’ or in the case of PINs, ‘1234’, ‘4321’, ‘5678’ and ‘0000’. Big security hole if you ever saw one. Some major sites and companies got hacked big time through the use of passwords from lazy executives.
Which brings us to the topic of password free sign-ins. Most Android devices come with pattern-based sign-ins which many people like instead of tapping in PINs. Patterns are easier to remember than a set of numbers, and it’s fun swiping the pattern. Some phones already make use of facial recognition by using the front camera which unfortunately can be fooled by a good printed picture. Apple has made fingerprint recognition mainstream through the iPhone 5S and Samsung followed suit with the Galaxy S5. The technology made it easier for users to access their phones provided the readers function correctly. Fingerprint readers aren’t new but were only present on expensive high-end laptops and security systems. Now that biometrics are getting more and more affordable, the time has come for security systems to evolve. Because of all the hacking going on, companies and government now want people to consider passwords as things of the past and maybe sell non-password security systems on the side. It would indeed be more comfortable to just stare at the webcam and log in to Facebook and to just press down one’s fingerprint and buy something. Are they secure? Apparently so because unlike passwords, patterns from fingerprints, retinal scans and voice scans are more complex and harder to crack. Also, the prospect of not having to remember combinations of letters and numbers is highly appealing. Unfortunately, the chances of getting stalked, kidnapped, or losing an eye goes up a notch.
So yes, it may be time to forget passwords since passwords tend to get stolen ever since the time of the Forty Thieves. Everyone is unique so we might as well be our own passwords. But as Ian Malcom from Jurassic Park once said, life finds a way. Determined life forms will find a way past this new type of security. Replacing passwords with biometric or hardware sign-ins will buy us some secure time until the next hacker solution, but whatever the system, nothing beats proper security implementation, awareness and vigilance.