Will Biometrics Kill The Password?

Welcome your new password: you. Your face, iris pattern, voice, veins, fingerprints, palms, heartbeat, brainwave patterns and other body parts are being used increasingly at the expense of the traditional password which has always been so vulnerable to being lost, stolen or forgotten. Even body odor is said to be distinct enough to tell us all apart. 

So why dont we just say goodbye to passwords? Not quite yet. Ericka Chickowski recently opined in darkreading.com that its not the first time that the death of passwords has been predicted. Its been over a decade now since Bill Gates stood up in front of the audience at the RSA Conference and predicted the end of the password. 

Hes still waiting. Chickowski says that in fact, as SaaS apps and mobile services proliferate the market, password prevalence is growing. According to a Research and Markets report earlier this spring, the global password management market is growing at a robust 16.33 annual clip and is expected to continue that trajectory through 2019.

Although the traditional password may be on 'death row', it clearly isnt likely to go six feet under overnight. However, it cannot be denied that the writing is on the wall for all such identification methods that involve memory or character storage.  The debate has been reduced to when, not if passwords will eventually die off. Indications are that passwords are only being tolerated because alternative biometric systems havent yet matured enough to effectively replace them to replace them effectively.

That would be the 'game-changer'. As Olivia Solon of the guardian.com recently put it, biometric security doesnt rely on what you can remember, but who you are. It swaps passwords for digital readings of anatomical features. So much better than the password system, which Thomas Keenan, a professor and expert in biometrics from the University of Calgary describes as severely broken.

"Weve been relying on them for 40 years, but people now have so many and they are so complex that we can no longer remember them. You cant forget body parts and they are much harder to duplicate or steal," he said.

Solon stated that Apples Touch ID, a fingerprint authentication, launched with the iPhone 5s in 2013 is one of the first attempts to bring biometric id to the masses. Similar capabilities feature in Microsofts latest operating system, Windows 10. According to Biometrics Research Group, 650 million were using biometrics on mobile devices at the end of 2015. 

One of the newest technologies bringing biometric access control to website logins is a new SB security key. Alex Perala in a recent publication for mobileidworld.com says the device named OdyOne is being developed by Odyxa, with a crowdfunding campaign underway.

Its essentially a portable, USB fingerprint reader. By integrating its biometric access control with the various passwords used to sign in to multiple websites, OdyOne acts as an extra security layer and a password manager.

Biometric usage has become widespread in the security industry and has found application in security systems involving ATMs, cars, briefcases and much more. Lately, even guns can be triggered biometrically. As of January 2016, a company called Sentinl will start selling Identilock, a gun-lock that will only release the trigger when the rightful owners finger comes in contact with it.

As would be expected, privacy and intrusion concerns have become all the rage, and biometrics is no exception. Jennifer Lynch, a senior staff attorney at the Electronic Frontier Foundation, a digital rights group warned: "Data breaches are very common. If biometric information is stored on a mass scale it can be hacked into and stolen and we may lose control of it."

Solon additionally stated that the same characteristics that make biometrics seemingly secure are what also make them so intrusive. If passwords are stolen, we can change them. We cant change our fingerprints or our faces. History has shown that storing any kind of personal data presents a tantalizing bounty to malicious hackers  as demonstrated when the fingerprints of 5.6 million US federal employees were stolen in September.

The hacker threat is also strong and the potential risks significantly high. Biometric hackers from Germanys Chaos Computer Club reportedly bypassed Apples Touch ID just days after it launched by taking a photograph of a fingerprint on a glass surface and using that to create a fake finger that could unlock the phone.

A year later a member of the same hacking group, Jan Krissler, cloned the thumbprint of the German defense minister, Ursula von der Leyen, after photographing her hand from a distance at a press conference.

Ways have been found to spoof not just fingerprints, but facial recognition devices and eye scanners as well. The risk of spoofing can, however, be mitigated through the use of more sophisticated sensors  such as ultrasound-based fingerprint scanners, which detect the pulse in the blood vessels under the skin  or through "multi-factor authentication". This is the combination of different biometric identifiers to reduce the likelihood of any foul play.

Another key mitigation towards safeguarding privacy involves ensuring that biometric data is stored on devices and not on central servers.

In todays hi-tech world, even children are impacted. Anti-biometric campaigner, Pippa King believes that these systems desensitize children to giving up their biometric information without grasping the consequences and "could have serious implications later down the line for buying a mortgage, opening a bank account, or getting insurance".

Lauren Devine, a lawyer and academic expert in child protection and safety, would agree, except that she is more focused on the implications for children today. Her 13-year-old son Jacob (now 16) was sent to isolation for refusing to register his fingerprint to use the school canteen. "I went to school and said that I didnt give my consent. As a parent, I want to be clear that the decisions I make that affect my children are in their best interests", she said.

Public concerns notwithstanding, the push  to retire the password system continues to grow. Peter Counter for findbiometrics.com explains the impact of cyber crime in 2015 and how it has fed the growth towards biometric alternatives. A survey carried out by findbiometrics.com found that over 70% of respondents felt that the password is indeed dead for all practical purposes, and could be entirely replaced by biometric options by 2020.

About 25% of respondents see a 'Multi-factor Future' or 'second-factor authentication', which is a hybrid of biometrics and passwords in the transition phase. The dual system would grant stakeholders the best of both worlds while minimizing the respective weaknesses of each system on its own.

Acuity Market Intelligence findings corroborate the findbiometric.com survey findings. Acuity independently projected that biometrics will be standard on 100% of all smartphones by 2020 and that in the target year alone over 5.5 billion apps that use biometric features will be downloaded.

Similarly, a survey carried out by secureauth.com found that 66% of cybersecurity professionals are moving beyond traditional passwords. This finding gets close to matching the 70% findings by findbiometric.com, and the desire for hybrid access and authentication system.

According to Craig Lund, CEO of SecureAuth: "This survey very clearly indicates there is an appetite for multi-factor authentication solutions beyond the traditional password... advances in Adaptive Authentication have brought to market a number of options that help users stay both secure and productive by layering multiple methods, such as device recognition, analysis of the physical location of the user, or even by using behavioral biometrics to continually verify the true identity of the end user".

Meanwhile, the password awaits its inevitable fate: replacement by you and me.