Biometric identification might be the latest weapon in the cyber-security battle, but it is not without risk. Lee Painter argues that those risks mean the traditional password won't be disappearing any time soon.
The password has been on its last legs for some time. At a conference, way back in 2004 Bill Gates predicted the death of the traditional password as he championed the use of hardware tokens as security authenticators.
Fast forward a decade or so and using key fobs, USB tokens and smart cards or software tokens to verify authentication requests is common practice. Now the buzz is around biometric identification using fingerprints, iris, voice or facial recognition or even keystrokes or authentication based on heartbeats.
Naturally, governments have been at the forefront of this move. The integration of biometrics into smartphones has also seen payment companies and mobile operators come together to push forward biometric payments. Financial institutions too have been early adopters. HSBC has announced it would be rolling out fingerprint and voice recognition, following in the footsteps of a number of other UK banks, who have variously been testing out fingerprint identification via iPhone or finger scanners.
The appeal of biometrics as a means of authentication is easy to understand. It combines enhanced security with ultra-convenience. As numerous pieces of research have shown, we simply don't follow the experts' advice when it comes to password security. People routinely write passwords down or choose simple or really obvious passwords – according to research by Splashdata the most commonly used password across the US and Europe is actually 123456. Even where a stronger password is used, increasingly sophisticated brute force attacks show how easy it is to crack more complex passwords. Then there's the hassle of constantly resetting passwords we can't remember.
Making a finger imprint or repeating a set phrase is certainly more convenient. But is relying on biometrics really any more secure? Reports that fingerprints can be faked have been around for a while most recently in the research report on peace sign selfies published by Japan's National Institute of Informatics. It sounds like something from a Mission Impossible film, but then again so did the very idea of biometric authentication just a few years ago.
And what happens if your bank or a payments company suffers a data breach or you're the victim of fraud? It's easy enough to change a password or PIN, not so your fingerprints or voice. Then there are the privacy concerns. In addition to government agencies holding sensitive biometric data, so will an increasing number of other organisations. Will getting hold of this incredibly valuable data prove just too tempting for hackers?
For these reasons it seems biometrics alone will never be completely relied on to the exclusion of other authentication measures. Multi-factor authentication is the obvious way forward, adding a biometric element to the two-factor authentication we've become accustomed to with many transactions to add an extra layer of security. And at some stage in the process you can bet that one of these security layers is going to be a password.
The role of the password has already and will continue to evolve. In the past a simple password gave you access. Now single factor authentication is obsolete, but for getting into the most basic of systems and services. Increasingly passwords, or PINs (and after all a PIN is just a numeric password) are being used as one factor in the security process, but applications and services rely on other factors before granting access. So the password lives on, and best practice will still dictate that the same password is not repeated. And so the challenges of remembering a myriad of different passwords goes on.
There is so much that's exciting about biometric identification (heard the one about the scanner that scans the veins in your hand?), but it's not a silver bullet in authentication. Whether at work or at home, we now live much of our lives online. As the need to protect the data and information in the many systems, services and applications we use daily grows, so do the layers of security around them. The good old password will remain one of these security layers for the foreseeable future.
Contributed by Lee Painter, CEO, Hypersocket Software