Researchers regularly come up with revolutionary ideas to replace the clunky, fiddly and mostly rather insecure passwords we use for almost all of our authentication needs.
The latest schemes to hit the headlines involve using features of our bodies, internal or external, to reassure our devices that we are who we claim to be.
Will any of them ever become the new standard for authentication? Are we going to be stuck with passwords forever, or is there a brighter future out there somewhere?
Security folk talk a lot about passwords. How long or complex they need to be, how bad people tend to be at choosing them and not reusing them, how they should be recorded and stored, how easily they can be cracked.
Occasionally a shiny new idea pops up – most recently we saw biostamps and swallowable dongles – but they generally disappear again just as quickly, leaving us stuck with the status quo.
In your face
In the news this week, Australian researchers have been promoting their work on facial recognition as a means of authentication.
As an idea this seems obvious – faces are the main means we use to identify each other in the real world, if we want to avoid being identified a mask is a standard first step. So it makes sense to have computers recognise our faces, or at least bits of our faces, too.
It’s an approach that has become fairly common of late, with PC login systems and mobile apps trying to use our faces to authenticate us to various things. Only a few weeks ago we heard about a Finnish company’s plans to use faces in place of credit cards.
In general these schemes have proven less than perfect, either easily fooled by photos, similar-looking people or technical tricks, or failing to authenticate real users thanks to bad hair days or bad moods affecting how we look.
Similar issues have blighted fingerprint-based authentication, which remains too unstable and unreliable for general use.
It’s not yet entirely clear what will separate the work being done by the University of Queensland researchers from the crowd, other than vague mentions of improved accuracy and security, and being able to work from a single initial still image and recognise the face from different angles and in different lighting conditions, which sounds like a must for any decent recognition system.
Either way, they don’t expect to have a working prototype for at least another year.
The way you move
The good thing about the face recognition approach is that it’s relatively low-tech, using a component (the rear-facing camera) that has become a standard component of most of the devices we use.
Another potential password replacement emerging from the world of smartphones and tablets is gesture-based authentication. Hand movements repeated often enough can lead to muscle-memory, so quite complex patterns can become quite easy to reproduce reliably and accurately.
This is the basis of a very venerable form of authentication, the signature. It should be harder to compromise though, as unlike signatures swipes leave few visible traces to be copied, other than a few greasy smears perhaps.
Android phones have long had swipe-pattern unlock features, and Windows 8 includes a system based on a few swipes around a picture. Some research presented at the recent Usenix conference has poked some serious holes in this approach though, showing that people are just as bad at picking hard-to-guess shapes as they are at choosing passwords.
A combination of face recognition and gestures, recognising patterns of unusual facial expressions, has also been proposed but is widely seen as no more than a gimmick, provoking humorous images of people gurning and grimacing into their webcams.
In a heartbeat
All of these use physical features, aspects of how our bodies look or move, in contrast to the purely cerebral requirements of passwords, which reside only in our minds (in theory at least – they may also reside on post-it notes attached to our monitors).
The biostamp idea proposed a hybrid of body and technology.
Another spin on this hybrid approach uses a bracelet device which measures heart rhythms to check who we are, and then connects to our devices via Bluetooth to pass on that confirmation.
The “Nymi” bracelet, developed by a Canadian startup, certainly sounds like a promising idea.
The actual authentication takes place only when the bracelet is first put on, requiring a quick touch of some sensors, and from then on will continue to confirm you’re you until it’s removed.
It includes motion sensors, so the basic authentication can also be combined with movements and gestures to create multi-factor passwords, using both the body and the mind of the attached user. Gestures could be used to unlock cars, for example.
I’m no expert on heart rhythm patterns, but according to the developers they’re as unique as fingerprints. Just how resilient the authentication will be to stress, fitness, aging and so on may well be a major factor in the success of the idea.
There are also security concerns of course. The connection to the authenticating devices will have to be very secure, and the bracelet will have to ensure it remains connected to a live wrist; as with biostamps, if it can simply be slid (or hacked) off and still work, it’ll be no good.
Also like biostamps, there’s a potential issue with proximity; if it’s simply broadcasting a “yes” to any request for ID, it would seem trivial to sneak up behind someone and steal their login.
The gesture system might help here, to ensure the user actually wants to be identified, and it should also be fairly simple (and unintrusive) to require re-authentication for major transactions – a simple touch of the wristband checks the heart pattern.
It’s also a relatively hi-tech solution, requiring dedicated hardware. The cost is not prohibitively high though; pre-orders are already available at under $80, although it’s not clear how much of that would be subsidised by the device and service providers the makers hope to attract.
With mass adoption and the cost reductions that would bring, it wouldn’t be unreasonable to expect governments to hand one out to every citizen to cover all their ID needs, although here we stray into civil rights territory – not a huge leap from there to barcodes on our foreheads, some will say.
In the future
Over the years the password systems we use have seen various improvements, both in usability (ranging from simple but nowadays indispensable systems for replacing forgotten passwords to the latest secure password management utilities) and security, for example two-factor authentication schemes using dongles or smartphones combined with our computers.
All have helped in some ways, but have also introduced further opportunities for insecurity – recovery systems can be tricked, management tools can have vulnerabilities or simply be insecurely designed, and two-factor approaches can be defeated by man-in-the-mobile techniques.
Despite all the problems, the insecurities on one side and the impeded workflows on the other, passwords remain the simplest solution to the authentication problem. Finding a universal panacea to replace them is going to be difficult.
What it really comes down to is how we define who we are, whether we are the contents of our brains, the shapes, textures and rhythms of our bodies, or the tools and devices we create and use. Perhaps an approach which uses aspects of all of these will best cover all our needs.
A lot depends on popular uptake of course, perhaps more than actual technical innovation, but it could just be that one of these new techniques will become the passwords of the future.