Biometrics Finally Ready for Prime Time
There are relatively few things we know for certain in the security industry, but one of them is that the password has become nearly useless as an authentication mechanism. Users are bad at creating them and modern computing resources have advanced to the point that attackers have little trouble cracking even complex passwords.
Despite these facts, use of passwords as a primary authenticator has persisted for far longer than experts ever believed it would have. And certainly much longer than it should have. But that era likely is coming to an end, and not a minute too soon. Use of biometrics as primary identifiers and two-factor authentication is expanding quickly, with many banks, card issuers, and other high-value targets deploying either or both of these methods in the last few months. Biometrics have been The Future for too many years to count, but it appears that the future may be here at long last.
Earlier this year MasterCard began rolling out an identification system that uses selfies. Customers upload photos of themselves via the company’s app, and the pictures are used as an authentication method for future transactions. Rather than using a short PIN or a crappy password, customers use themselves as an authenticator. MasterCard is hoping that the change will help cut down on the millions of mistakenly declined transactions it has every year, a problem that it says costs more than $100 million annually.
Google also is investing time and money in an effort to get away from passwords. The company has been funding a research effort known as Project Abacus that is focused on developing technologies to identify users through their movements and activities on a device. The system takes a multimodal approach, observing users’ normal interactions with a device, such as typing habits, and combines that with technologies such as facial and voice recognition. Those pieces are then combined to form a trust score that Android will use to grant or deny access to apps. That’s in addition to the fingerprint recognition sensors that many devices already carry.
Banks and financial institutions are moving to biometrics and two-factor authentication at a quick pace now, too. Some banks, including Bank of America and Wells Fargo, have features in their mobile apps that allow customers to log in with fingerprints. Others, such as Citigroup, are using voice recognition to authenticate customers.
It’s all very Sneakers.
And it’s also long overdue. Users are notoriously bad at creating and remembering passwords, but the one thing they’re good at is being themselves. Spoofing someone’s fingerprint or voice or face is much more difficult than guessing his password. Not impossible, mind you, but anything we can do to ratchet up the difficulty for attackers is a win. There has been research on bypassing fingerprint sensors and fooling voice recognition systems, but those are no mean feats and typically require more resources than a run-of-the-mill dictionary attack on a password does.
The security industry historically has been terrible at predicting the demise of a given technology. Like, worse than Stephen A. Smith is at predicting NBA champions. IDS, antivirus, passwords. All of these have been given the last rites many times over, and all are still hanging on, if only by a fingernail. And I’m certainly not here to declare the password dead; it’s far too entrenched. But it is clear that the days of the password being the default authentication mechanism are numbered, which is a big win for users and providers both.