Password Fast Forward

By on Feb 27, 2013 in Technology | 2 Comments

Facial-eye recogniction software could be the new password.These days, traditional passwords are suspect in their ability to handle the safety of our valuable online data. This isn’t a new problem.  Nearly a decade ago, in 2004, Bill Gates was predicting the demise of the alpha-numeric password, calling it a weak spot in security and identity authentication. He was one of the first to propose moving security onto smartcards and biometrics. With few exceptions, most programs, websites and protected databases are still using the standard-issue username/password combination for access. But with recent high-profile hackings like that of Wired tech writer Mat Honen last summer, the issue of changing password technology is a hot one again. So what are the current options?

Behavior based gestures

The government’s Defense Advanced Research Projects Agency (DARPA) is on the lookout for other forms of authentication based on behaviors, like the way people type or make other hand gestures. Security researchers are investigating the way people are using their machines so that their identity can be verified at all times: “for example, how the user handles the mouse and how the user crafts written language in an e-mail or document” they say on their website. DARPA’s program manager Richard Guidorizzi explains what makes this method different from the current password format:

“My house key will get you into my house, but the dog in my living room knows you’re not me. No amount of holding up my key and saying you’re me is going to convince my dog you’re who you say you are. My dog knows you don’t look like me, smell like me or act like me. What we want out of this program is to find those things that are unique to you, and not some single aspect of computer security that an adversary can use to compromise your system.”

Multi-step verification

This is an option Google made available a while ago, and if you haven’t activated it, now would be a good time to do it. Google offers a two-step verification – it asks for the classical password, and also sends a text message with a code to your personal cellphone. According to Honen, who has taken on the issue of online security fallacy with a vengeance since his hack, this is just the beginning. The future of passwords means a combination of different identifiers that extend far beyond the password. The more pieces required for verification, the stronger the security of a system gets.

Smartcards

Google researchers are experimenting with a tiny Yubico cryptographic card that works somewhat like a car key: you slid it into a USB reader and it automatically logs a web surfer into Google opening your web mail and online accounts. They have modified Google’s web browser to work with these cards, but the best part is that there is no software download and once the browser support is there, it’s quite easy to use.

Biometrics

  • Facial Recognition. This option already exists under the form of a photo-based system that needs a picture of your face as login for the computer. Basically, if your computer is stolen and someone attempts to hack it, the software takes a photo of the person who tried and failed. For websites, Silicon Republic reports that teenagers Niall Paterson and Sam Gaulfield have created Viv.ie, a facial recognition system, available through an open API that website owners can deploy to allow their users to log in without a password. The technology is quite simple, it takes a photo of your face and then analyses it against the database of registered users. There are two problems though: whoever wants to hack your computer could show a photo of your face thus opening all channels to the uninvited guest, and it hasn’t yet been finalized due to high costs and little experience in the business world for the two 17 year-olds. It is definitely a start.
  • Voice recognition. This one exists as well; some banks use it replacing the traditional PIN number with the sound of the account owner’s voice.
  • Touch gestures. Computer scientists have been researching ways for your phone and tablet to recognize just your special touch. Some speculate that Apple purchased security firm AuthenTech in order to include a kind of fingerprinting technology on its future devices.

Better Monitoring on the other end.

Facebook and Google are currently the only ones doing this. They are on the lookout for anomalies; first they flag them and then shut down the activity if it seems like fraud. For example, if they notice that your Google or Facebook account was accessed from an odd location, they will start asking a set of questions and when not answered properly they’ll email a notification telling the account owner to change their password.

The final solution is an official identity standard that has yet to be adopted; biometric fingerprints, iris scanning or smartcards, until a government adopts a national identity standard, the passwords will remain. Suggestions?