Oxford and Cambridge in the race to eliminate passwords

Filed Under: Featured, Technologies

Image of ciruit board courtesy of ShutterstockMore novel approaches to authentication have been gaining media attention this week, each linked to major universities.

Cambridge University are working on a technology-oriented approach where multiple small devices create an "electronic aura", enabling a main device to transmit a unique identification signal.

Meanwhile a company spun out of an Oxford University programme is developing more biomechanical methods of recognising humans, and indeed specific people, based on the way they move, behave and interact with devices.

The problem of authentication is central to secure use of computers and the internet. Our machines and services need to know we are who we claim to be, if they are to ensure only the right people can access their stuff.

Passwords are woefully flawed

As we are frequently reminded, our current methods of authentication are woefully flawed. Our reliance on passwords leaves us open to all sorts of risks.

We choose them badly, we're not good at remembering them, we reuse them across different sites. Companies struggle with appropriate policies internally, and websites, even major brands, don't enforce strong rules either.

Passwords are regularly leaked in data breaches and need to be reset, with sloppy approaches to alerting people putting them further at risk.

Even where two-factor authentication provides an extra layer of security, it is often shunned as too fiddly and time-consuming.

So we keep trying to come up with better approaches. We've heard about implants, recognition of biological features such as fingerprints, faces, heartbeats, even vein patterns.

Major cross-industry alliances are working to make sense of all these options, and produce a unified framework to support them, but it remains a chicken-and-egg problem - no single scheme can really take off without widespread adoption, and widespread support won't be provided until an approach is well-established, trusted and used by significant numbers.

Adding further to the list of potential saviours, Cambridge University's Pico project posits a small device storing your credentials for various things - not just websites, but ATMs, cars and anything else we need to authenticate ourselves to.

Miniature secondary devices for authentication

The device connects as and when needed to confirm the identity of its owner, but will only do so in the presence of a collection of miniature secondary devices referred to as "Picosiblings", worn on the body or clothing.

This solves the main problem of using biological information such as retina patterns or fingerprints, that they cannot be changed once compromised or forged, and avoids the issues of a single identifying item, which could simply be stolen.

The Pico setup would require all the items be stolen, which might be fairly easy with a phone-sized device, but the pickpocket's job would be considerably harder if he also needed a ring, a pair of glasses, and few micro-devices embedded in clothing or carried in a pocket or wallet.

To make it all the more difficult, there's no reason part of the aura couldn't be embedded in the body itself.

Spoofing by relaying the signals from the real user to a stolen device is prevented by requiring close proximity of the devices, measured by checking the response times from inter-device communication.

The main device would be programmable, and backed up so it could easily be replaced if lost - a stolen device on its own would be safe as the highly sensitive data on it would be inaccessible without the ancillary "aura".

Sounds good so far, but there are likely to be a number of other potential risks to address - the project remains at the development stage.

The setup is also complex, relies on hardware which is unlikely to be cheap, and requires the user to remember all the bits that make up their aura for it to work.

These factors may make it unlikely to be universally adopted, but it could well be an acceptable approach for those requiring very secure access to a wide range of things.

Considerably less reliant on human effort, the "eDNA" concept from Oxford BioChronometrics instead uses the stuff we're all doing anyway.

It apparently takes a large number of small measures of how we interact with devices - typing speeds and patterns, mouse movements, swiping motions on touchscreens, presumably much more detailed data on how we move around from motion-sensitive hardware - and uses them to compute a unique fingerprint with which to identify a person.

Trials underway by 'a major household name'

The company, which originated in a startup programme run by the University of Oxford but which is now based in Luxembourg, offers a variant of its technology as a free WordPress plugin designed to eliminate comment spam from bots, and the full authentication system is at an advanced stage of development with trials apparently underway with at least one unnamed "major household name".

This seems pretty close to the panacea for password replacement, with no extra hardware required and no active effort needed at the user end.

Again adoption is the issue though, and the proof of the pudding will be in how easy such an approach is to implement and operate, and how secure it remains against the endlessly inventive imaginations of attackers.

It seems like we're unlikely to run out of choices for better, safer, simpler methods of authentication any time soon.

With such a diverse range of options available, it's also unlikely that any single approach will become widespread enough to achieve a dominant position for quite a while.

But if enough services start supporting a range of these approaches, then they'll start to be properly tested, both for ease of operation and security, in real widespread use.

Then we may start to see some, possibly many, achieve real penetration into all our lives, and eventually the slow death of tired old methods.

As organisations, we can hurry this process along by investigating these new technologies and seeing which might work, which would fit our environments and requirements to provide viable methods of authenticating our employees, users or customers.

As users or customers, we can help by keeping an open mind and trying out these new approaches to see which ones work best for us, which fit our lifestyles and usage patterns the best, which make us feel the most secure.

It's going to be a long process, but we'll get there one day.

Image of circuit board courtesy of Shutterstock.

, , ,

You might like

13 Responses to Oxford and Cambridge in the race to eliminate passwords

  1. LindaB · 394 days ago

    I wonder how these 'behavioural systems' would react to a user who has, say, a joint replacement that affects the way they move? Or they suffer a stroke?
    Nothing is foolproof.

    • ricead · 393 days ago

      Of course. They would have a very unique pattern of movement.

  2. Jim Belcher · 394 days ago

    For these systems that require unique items to activate, what happens when the person in possession of those items moves away, quits, retires, or dies. A friend recently dies and if his person were required to access all his accounts, his wife would have been left without anything as he had all the investments and accounts in his name.

    • Paul Ducklin · 394 days ago

      The same sort of problem already exists if someone dies along with their letters-digits-and-punctuation password.

      It's always possible to have a password recovery system, provided that you make it no less secure than the regular password mechanism. The idea is that you can make a password recovery system more of a hassle than the regular system because you only use it in unusual circumstances.

    • ricead · 393 days ago

      Normally with these systems, their is a second method of authentication. For example, on my laptop, I have a long strong password (13+ characters, upper, lower, symbols) and normally authenticate via fingerprint. You should also have backups that are protected and stored safely.

  3. Or · 394 days ago

    These are great surveillance tools, btw...
    Could there be a user-friendly login technology that you don't have to sacrifice privacy for?...

    • According to their documentation, part of the Pico plan is to isolate each login, so that no service could cross-identify you from one account to another, although planning to do that is one thing and doing it in a way that can't be fooled is another.

      The motion-sensing thing does seem quite scary in that regard - it seems to imply that you could be uniquely identified by anything that can read your movements, typing patterns etc., which would easily beat cookies and fingerprinting the software on your machine for tracking purposes.

      The worst part is, it's not like you could opt out by not using that form of authentication - once the pattern of measures you need to record is pinned down, anyone could start profiling your wobbles and typos and trying to track you.

      I'm sure the people developing it will only use it for kind and useful purposes of course, but once an idea takes off it's never long before it gets reverse-engineered, copied, and all too often abused.

  4. Why can't we have injectable under the skin tags (similar to pets)? Surely a cheap and workable alternative to all the other things being tried at present.

    • gcjenkinson · 394 days ago

      Peter, Pico is indeed considering the use of a subcutaneous implant. There has already been academic work in this area notably IMPRINTS, which looked at public attitudes to a range of authentication schemes including implants. A potential issue is that technology often carries an existing association. For example, in the same way that fingerprinting can carry a connotation of criminality implants are associated with pets and that makes many people uncomfortable.

      The problems with passwords are well documented, this suggests that there isn't an easy answer.

      • Wilbur · 394 days ago

        I don't think it is a potential issue - it is a very real issue. Many will call me silly, but the idea of mandatory (and they will be if for no other reason than as a condition of employment) ID implant brings a strong feeling of déjà vu with Nazi Germany and tattoos. What authoritarian central government could resist the temptation of such an effective means of control?

        • gcjenkinson · 393 days ago

          I say potential because there are circumstances where people are more than happy to have an implant, notable for contraception. I'm also told, that there is a club in Glasgow where you can pay for drinks by waving for hand (with an implant) over a reader (clubbers like this as it means they don't have to carry cash). In these cases the utility out ways other concerns.

          Pico isn't a tracking device, and we need to do a better job of communicating this.

  5. ricead · 393 days ago

    Does Pico mean I need sensors in all my clothing? What happens when you donate them to charity or dispose of them? Will we be buying Pico enabled clothes in the future?

  6. Gary · 386 days ago

    What happens with the Pico system if you are pushed into or fall into a pool or lake? How would replacing multiple parts of the 'aura' be addressed?

    To look at the dark side of things, would muggings in the future with Pico devices mean that not just your wallet/purse/watch be stolen, but the muggers would take everything and leave you naked? This way they make sure they get everything they need to authenticate as you.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

John Hawes is Chief of Operations at Virus Bulletin, running independent anti-malware testing there since 2006. With over a decade of experience testing security products, John was elected to the board of directors of the Anti-Malware Testing Standards Organisation (AMTSO) in 2011.