The alphanumeric password is revealing itself as unfit for purpose. As the number of devices (approaching 20 billion) and services which need access control increases, this legacy standard has reached a tipping point when measured by the vast number of identity thefts and account hijacks impacting people in recent times. There are more secure, less costly and more adoptable alternatives to the password approach. It is estimated that online ‘direct’ fraud is costing the global economy around £60bn a year. The associated indirect costs of identity theft and recovery have not been fully quantified but is possibly many times the actual direct costs. Large e-commerce merchants believe that fraud is inevitable, but understand that their prevention efforts will result in more positive customer relationships. The current most widespread authentication approach employs passwords.
Passwords just aren't fit for purpose
Passwords are weak and susceptible to many types of attacks as the security is dependent on a user’s ability to keep the password secret from eavesdropping in its many forms. If we were to invent it today, we might find that it does not pass quality control for making financial transactions remotely, such as fund transfers and other payments through an internet banking channel. There is also the question of the cost of support associated with user ID and password complexity as IT support staff often need to spend extra time dealing with authentication problems, such as helping staff reset passwords that are locked after a certain number of failed entry attempts.
Biometrics-based authentication provides a robust alternative to using passwords and pins. It validates user identity by measuring their unique physiological and behavioural characteristics. Such a measure maximises between-person random variations while at the same time minimises within-person variability. In contrast with passwords and pins, a biometric identifier cannot be lost, forgotten or shared. One can choose from a large list that includes finger, face, retinal scan, iris, gait, vein infrared thermogram, hand geometry and palm print – or from a combination of all these identifiers, termed multimodal-biometrics.
The rise of mobile
The biggest change in the workplace might be the rise of the mobile as the device of choice for biometric reading. They are increasingly the mainstay of people’s online activities, and most of the market-dominating smartphones now have biometric readers or sensors already incorporated into the hardware. Biometrics will also have some impact on the workplace with regards to the need for additional hardware costs such as scanners. There are also extra costs needed for deployment, support, and maintenance, and it may not be suitable for mass-consumer deployment.
Deployment of proper biometric solutions should significantly reduce identity thefts – with great benefits for the economy – by eliminating passwords from the equation in place of more reliable solutions. Trust is particularly important for financial institutions, merchants and consumers (due to issues like identity theft and account blocking inconvenience), so we can reasonably expect that the businesses to deploy biometrics in large scale first will be those involved in mobile payments and other financial organisations.
Biometrics: Not without its challenges
There are, of course, many biometric solutions. None is a silver bullet and one size certainly does not fit all. The accuracy of facial recognition systems varies greatly due to factors such as lighting, angle and camera sensitivity. Facial techniques can easily be thrown off – someone wearing glasses will look different with sunglasses, no glasses, and even the colour of the ambient light.
Likewise, fingerprint readers are affected by myriad factors, such as temperature. Fingerprint scanners are deployed en masse in phones at the moment due to Apple’s Touch ID system; they have actually been on laptops for years but hardly anyone used them. The Touch ID system from Apple is quite impressive from a security perspective, but fingerprint scanners are not the solution – simply because we leave prints on every surface we touch. There have been many examples of Apple’s Touch ID being bypassed through the use of scanners, latex, and patience.
There are other biometric systems on the market using contextual information, such as location, in clever ways. For instance, many are not yet familiar with keystroke dynamics, where keystroke logging can be analysed. The time to get to and depress a key (seek-time), and the time the key is held-down (hold-time) can be very specific to a person, regardless of how fast they are going overall. Most people have specific letters that take them longer to find or get to than their average seek-time over all letters, but those letters may vary dramatically – and consistently – for different people. Right-handed people may be statistically faster in getting to keys they hit with the fingers on their right hand than on their left. Index fingers may be faster than other fingers.
Normally, all that is retained when logging a typing session is the sequence of characters corresponding to the order in which keys were pressed, and timing information is discarded. Keystroke dynamic information, which is normally discarded, can be used to verify or even determine the identity of the person who is producing those keystrokes. There are several home and commercial software products that claim to use keystroke dynamics to authenticate a user, such as BioTracker, ID Control, TypeWATCH, Authenware, Probayes, and KeyTrac.
Voice is another a biometric technique, though it has to be measured against the ambient background, whether it’s a restaurant, train, corner shop or sports arena. There really has not been much movement in trying to implement voice authentication. It does play a part in some multi-factor systems. The main barrier to any widespread adoption has been the problem of aural eavesdropping. Quite simply, casual or malicious bystanders may overhear private information spoken by screen readers or users.
There are, however, some niche areas where it is needed and has been adopted, such as the special needs of disabled citizens. In the context of disability, the process of authentication is stressful for many users looking to access devices or services. For example, individuals who are blind obviously have difficulties with processes of authentication like Captcha. Subsequently, they are cut off from bank accounts and all other online access points because they have to visualise and input meaningless character sequences. There’s an opportunity for voice authentication to play an important role here.
These sources of potential error create two measuring levels that biometrics algorithms build in to their calculations – false acceptance and false rejection. If this is not managed and measured properly, it can lead to a bad user experience. This has been a problem with commercialisation of such technologies in the past decade as they seek to achieve the elusive 100 per cent accuracy rate. The objective of biometric identity authentication is to establish a bond of trust between an organisation and the user who is requesting system access. More specifically, identity authentication ascertains a level of trust regarding who the user claims to be. It follows that the more accurate any chosen authentication method the user can present to prove their identity, the stronger this bond of trust becomes.
The future of biometric authentication
It is feasible that biometric authentication will become the de facto form of providing credentials, although it should be combined with multi-factor methods. Hardware devices do potentially offer ideal security, but often the problem is the need to carry such a device on the person – hence the move towards making our mobile phones that de facto hardware device. One popular hardware approach for authentication is smart cards. Smart card technology provides an excellent medium for storing biometrics, and a strong authentication platform in our pocket. Mobile phones and smart cards can be used for both physical and logical access authentication.
There are, of course, problems with hardware security tokens. Firstly, they involve additional costs, such as the cost of the token and any replacement fees. Users always need to carry the token with them, and they need multiple tokens for multiple websites and devices. Finally, they do not fully protect them from man-in-the-middle attacks. This is where an intruder intercepts a user's session and steals their credentials by acting as a proxy between them and the authentication device, without the user's knowledge. Basically, if you lose the token, you lose control.
One technique which should be combined with any biometric authentication is a multi-factor one. This reduces risk by involving separate types of factors that would require an attacker to use different methods of attack, thus making a breach more difficult. Multi-factor authentication combines at least two of the following methods to strongly authenticate a user: something you know, which is typically a password or PIN; something you have, like a trusted device identifier that is not easily duplicated; and something you are – in other words, your unique biometrics.
Two items must be combined from different categories in order to qualify as multi-factor authentication, so a PIN plus a password is not actually multi-factor, since both of these are something you know. Full three factor authentication, when combined with a device ID, allows users to easily combine ‘what we have’ and ‘what we know’ with the important ‘who we are’. This is hugely important for future security systems. Biometric solutions may not currently provide us with the solution we need to fully secure our accounts and systems, but they will play an increasingly important role in the days ahead.
Now, where did I put that post-it note with my password?
Dr Kevin Curran is a senior member of IEEE and reader in computer science at Ulster University
Image Credit: Shutterstock/ra2studio