Passwords linger like landlines
They’re easily hacked and tech companies want to kill them, yet passwords are just as pervasive as ever, writes
Headlines about mass data breaches have become ominously routine, and yet the convenience of a password still trumps security for most people.
That’s why, year after year, the world’s most popular log-on remains ‘‘123456,’’ a password so obvious it accounted for 17 per cent of the 10 million compromised passwords analysed by Keeper Security, which sells a log-in management service.
The answer, of course, is to get rid of them altogether.
Biometric technology – in particular fingerprint scanners – is steadily replacing passwords, which are easily guessed by algorithm-wielding hackers.
Now, with the world increasingly embracing voiceactivated devices like the Amazon Echo and Google Home, companies are starting to create technology that recognises a person’s speech patterns. Facial recognition is catching on as well.
‘‘Our vision is to kill passwords completely,’’ says Dylan Casey, vice president of product management at Yahoo, which has suffered major security breaches.
The question is whether companies will be able to persuade people to switch to biometric logins and whether the new tech will be any more resistant to hackers.
Apple popularised the fingerprint scanner by embedding it in the iPhone four years ago, then baking the technology into the MacBook lineup.
Now Microsoft is getting in on the act. The company recently began letting the estimated 800 million users of its cloud-based features including Outlook.com, Xbox.com and Skype.com log on with a fingerprint scan on their smartphone.
By October or November this year ‘‘you’ll be able to take your phone, walk up to your Windows 10 PC and just use your thumb print to log into your PC’’, said Alex Simons, who’s in charge of products within Microsoft’s identity division.
Your voice as security
The banking industry has adopted some of the most cutting-edge technology.
The UK bank Barclays started letting wealthy customers verify their identity during telephone banking with their voices back in 2014, and rolled out an opt-in version to retail clients last year.
‘‘Our voice security works by taking a recording and analysing the different voice patterns, the vocal tones, the pitch and the pace,’’ says Simon Separghan, who’s in charge of Barclays’ contact centres in the UK, India and the Philippines. The bank is working to add the technology into its mobile banking app.
Face recognition is becoming more common as well. Lloyds announced in April that it would trial Microsoft’s Windows Hello technology, which lets online users log into their web-based accounts by pointing their face at a computer’s webcam.
Is the new technology hackerproof?
Barclays’ Separghan is sanguine about the bank’s voiceactivated log-in system and says there have been no breaches so far. ‘‘We’re very confident that the system is as unique as your fingerprint,’’ he says.
But Michela Menting, digital security research director at ABI Research, isn’t so sure. ‘‘With artificial intelligence you’ll have machines that’ll be able to clone human voices and maybe pretend to be somebody else,’’ she says.
In April, three developers from a Montreal AI startup released demos of their speech synthesis tool, Lyrebird, which they said could ‘‘copy the voice of anyone’’ with just a 60-second recording.
One of Lyrebird’s founders, Alexandre de Brebisson, who is studying AI at the University of Montreal, said his team’s motivation was to simply improve speech synthesis.
Could his software be used to fool voice-based authentication? ‘‘We haven’t tested our tech on those systems,’’ he said, ‘‘but we would not be surprised.’’
Rise of face recognition
Similar concerns have been raised about face-recognition.
Microsoft says its Hello technology – now available in a range of Windows-based computers and soon to be tested at Lloyds Bank, Halifax and Bank of Scotland – uses infra-red sensors to build a reliable representation of a human face. The company says the technology can’t be fooled by a photograph held to the lens.
But in March, reports surfaced that the facial-recognition feature of Samsung’s new Galaxy S8 smartphone could be tricked exactly that way.
In a statement, Samsung said facial recognition can only be used to open the Galaxy S8 and not to ‘‘authenticate access to Samsung Pay or Secure Folder’’.
Thirteen years ago, Bill Gates predicted the death of the password. It never happened because people cling to old habits and can’t always afford the latest technology.
So though cheaper biometric sensors and smarter software have helped improve online security, Menting believes passwords may be around for another 50 years – kind of like landlines.
‘‘Until we have embedded devices in ourselves that can act as that password,’’ she says, ‘‘I don’t see them losing the authentication war any time soon.’’ Hackers are counting on it. – Bloomberg