Passwords have a big problem: They’re not very secure, and no one likes using them. That’s why you now find Web browsers, password managers, and mobile phones all trying to take some of the pain out of the process.
Today’s technology is looking for hardware and software solutions, with the iPhone’s Touch ID fingerprint reader perhaps the most prominent example. But there are many companies, including wearable device makers, working to push biometrics further into the mainstream.
These gadgets aim to finally rid end users of their reliance on passwords. If they succeed, we may soon see a future in which our bodies are the only authentication we will ever need—whether it’s really more secure or not.
Our Bodies As Passwords
Other gadgets have already introduced the broader public to biometric authentication. The fingerprint-sensing technology inside the iPhone and the latest Samsung handsets is a marked improvement over a PIN code or a password. They are, however, not perfect: With enough time and effort, fingerprints can be spoofed or fooled. (We leave them everywhere we go, after all.) They’re also impossible to change once an account has been compromised.
In its current state, such technology works best as a second layer of protection alongside other security measures. To spoof a fingerprint on an iPhone 6 “requires skill, patience, and a really good copy of someone’s fingerprint,” but it can be done, writes Marc Rogers from the Lookout security firm.
A Minority Report-style iris scanner isn’t too far from reaching consumer gadgets, either: At MWC earlier this month Fujitsu showed off a prototype eye detection device that knows exactly who’s looking at it by their irises, while ZTE has introduced retina-scanning technology to its smartphones.
See also: Changing Passwords No Longer Has To Suck
Microsoft also significantly boosted biometric support for its upcoming Windows 10 software. The OS ships this fall with a feature called Windows Hello, which is essentially support for the Fast Identity Online (FIDO) 2.0 specification. It heralds a future in which you might, say, log into your Windows PC with a fingerprint or eye scan.
Now wearables are poised to take biometric adoption even further. Over the last year or two, we’ve seen wrist bands, chest straps and other gadgets riddle themselves with sensors. They filter into the consumer market at a rapid clip—you may well have a step-counting, sleep-tracking, heart rate-reading band strapped to your wrist to quantify your health and fitness levels. The data gleaned from those sensors may also offer another way of proving your identity to a website or bank machine.
Your heartbeat’s rhythm is just as unique as your fingerprint, and far harder to duplicate. It’s the unique key at the center of the Nymi Band from Canadian firm Bionym, which is currently in trials with a UK bank. If successful, it may offer customers secure, alternative logins someday.
For now, Nymi is still very much in the development stage. But it points to one way biometrics could confirm our identities to cash machines, computers, smartphones and door locks.
In Sweden, the high-tech Epicenter office gives staff members the opportunity to have an RFID (Radio-Frequency Identification) chip implanted in their skin. That may be wearable technology taken to the extreme—as a surgical implement—but once embedded, the chips would grant easy and secure access to any number of areas, from photocopiers to computer workstations, all with no passwords required.
There are dozens of these projects popping up, all small-scale and experimental, but all indicating the password-free future that’s approaching. And low-cost, always-on electronics, combined with unique biometrics, are going to play a major role.
The Weakest Link
These kinds of systems are only as strong as their weakest link, however. Every password-protected device, app or site needs some kind of safety net—like the reset links emailed to you when you’ve forgotten your password. But unless that back-up measure is equally secure, every other precaution is in vain.
Dropping your heartbeat-measuring band in the river is one thing. A stranger commandeering or replacing your biometric data is another. Consider this: Associating an eyeball with your bank account may seem well and good, but only if that eye is actually yours. Criminals can’t spoof your iris, but if they can reset the link and use a different iris instead, the security fails.
Next-generation safeguards, like the ones we use now, can’t take an all-or-nothing approach, nor can they afford to leave the back door unlocked. There must always be some way of confirming your identity if there’s a problem with the primary method of access. Today, that’s anything from confirming your date of birth to having a PIN code mailed to your verified home address.
Behavioral biometrics is another option. More than just a one-off identification process, they allow for on-going monitoring of your behavior, detecting things from the way you type to the angle at which you hold your phone.
BehavioSec is one firm innovating in this area, adding an extra layer of security on top of existing measures: a “a process of non-invasive, frictionless verification” in the company’s words. BehavioSec talks about multi-layered security with three pillars: something you have (a phone), something you know (a PIN code), and something you are (your physical or behavioral metrics). You can see a demo of its behavioral metrics detection system in action.
“We need to change the way we think about security–it shouldn’t be a conversation of ‘either, or’, with any one new technology sweeping in to replace another,” BehavioSec CEO Neil Costigan told me. “Since virtually every authentication technique can be compromised, institutions should not rely solely on any single control for authorizing high risk transactions, but adopt a layered approach to security.”
More wearables and other devices will soon start acting as ID badges in the near future—from the Apple Watch to the Nymi Band. There’s plenty of promise in biometric authentication. But if they’re still backed up by old-school safeguards, then that promise could turn into a pitfall, lulling users into a false sense of security.
Images courtesy of Bionym, Apple and Fujitsu