Oxford and Cambridge in the race to eliminate passwords

Oxford and Cambridge in a race to eliminate passwords

Image of ciruit board courtesy of ShutterstockMore novel approaches to authentication have been gaining media attention this week, each linked to major universities.

Cambridge University are working on a technology-oriented approach where multiple small devices create an “electronic aura”, enabling a main device to transmit a unique identification signal.

Meanwhile a company spun out of an Oxford University programme is developing more biomechanical methods of recognising humans, and indeed specific people, based on the way they move, behave and interact with devices.

The problem of authentication is central to secure use of computers and the internet. Our machines and services need to know we are who we claim to be, if they are to ensure only the right people can access their stuff.

Passwords are woefully flawed

As we are frequently reminded, our current methods of authentication are woefully flawed. Our reliance on passwords leaves us open to all sorts of risks.

We choose them badly, we’re not good at remembering them, we reuse them across different sites. Companies struggle with appropriate policies internally, and websites, even major brands, don’t enforce strong rules either.

Passwords are regularly leaked in data breaches and need to be reset, with sloppy approaches to alerting people putting them further at risk.

Even where two-factor authentication provides an extra layer of security, it is often shunned as too fiddly and time-consuming.

So we keep trying to come up with better approaches. We’ve heard about implants, recognition of biological features such as fingerprints, faces, heartbeats, even vein patterns.

Major cross-industry alliances are working to make sense of all these options, and produce a unified framework to support them, but it remains a chicken-and-egg problem – no single scheme can really take off without widespread adoption, and widespread support won’t be provided until an approach is well-established, trusted and used by significant numbers.

Adding further to the list of potential saviours, Cambridge University’s Pico project posits a small device storing your credentials for various things – not just websites, but ATMs, cars and anything else we need to authenticate ourselves to.

Miniature secondary devices for authentication

The device connects as and when needed to confirm the identity of its owner, but will only do so in the presence of a collection of miniature secondary devices referred to as “Picosiblings”, worn on the body or clothing.

This solves the main problem of using biological information such as retina patterns or fingerprints, that they cannot be changed once compromised or forged, and avoids the issues of a single identifying item, which could simply be stolen.

The Pico setup would require all the items be stolen, which might be fairly easy with a phone-sized device, but the pickpocket’s job would be considerably harder if he also needed a ring, a pair of glasses, and few micro-devices embedded in clothing or carried in a pocket or wallet.

To make it all the more difficult, there’s no reason part of the aura couldn’t be embedded in the body itself.

Spoofing by relaying the signals from the real user to a stolen device is prevented by requiring close proximity of the devices, measured by checking the response times from inter-device communication.

The main device would be programmable, and backed up so it could easily be replaced if lost – a stolen device on its own would be safe as the highly sensitive data on it would be inaccessible without the ancillary “aura”.

Sounds good so far, but there are likely to be a number of other potential risks to address – the project remains at the development stage.

The setup is also complex, relies on hardware which is unlikely to be cheap, and requires the user to remember all the bits that make up their aura for it to work.

These factors may make it unlikely to be universally adopted, but it could well be an acceptable approach for those requiring very secure access to a wide range of things.

Considerably less reliant on human effort, the “eDNA” concept from Oxford BioChronometrics instead uses the stuff we’re all doing anyway.

It apparently takes a large number of small measures of how we interact with devices – typing speeds and patterns, mouse movements, swiping motions on touchscreens, presumably much more detailed data on how we move around from motion-sensitive hardware – and uses them to compute a unique fingerprint with which to identify a person.

Trials underway by ‘a major household name’

The company, which originated in a startup programme run by the University of Oxford but which is now based in Luxembourg, offers a variant of its technology as a free WordPress plugin designed to eliminate comment spam from bots, and the full authentication system is at an advanced stage of development with trials apparently underway with at least one unnamed “major household name”.

This seems pretty close to the panacea for password replacement, with no extra hardware required and no active effort needed at the user end.

Again adoption is the issue though, and the proof of the pudding will be in how easy such an approach is to implement and operate, and how secure it remains against the endlessly inventive imaginations of attackers.

It seems like we’re unlikely to run out of choices for better, safer, simpler methods of authentication any time soon.

With such a diverse range of options available, it’s also unlikely that any single approach will become widespread enough to achieve a dominant position for quite a while.

But if enough services start supporting a range of these approaches, then they’ll start to be properly tested, both for ease of operation and security, in real widespread use.

Then we may start to see some, possibly many, achieve real penetration into all our lives, and eventually the slow death of tired old methods.

As organisations, we can hurry this process along by investigating these new technologies and seeing which might work, which would fit our environments and requirements to provide viable methods of authenticating our employees, users or customers.

As users or customers, we can help by keeping an open mind and trying out these new approaches to see which ones work best for us, which fit our lifestyles and usage patterns the best, which make us feel the most secure.

It’s going to be a long process, but we’ll get there one day.

Image of circuit board courtesy of Shutterstock.