Can technology replace the password?
Technology offers new ways to beat the password hackers
Headlines about mass data breaches have become ominously routine, and yet password convenience still trumps security for most people.
That’s why, year after year, the world’s most popular log-on remains “123456”, a password so obvious it accounted for 17 per cent of the 10 million compromised passwords analysed by Keeper Security, which sells a log-in management service.
The answer, of course, is to get rid of passwords altogether. Biometric technology — especially fingerprint scanners — has been steadily replacing the need to type in a password, which can easily be guessed by hackers.
Now, with the world increasingly embracing voice-activated devices like the Amazon Echo and Google Home, companies are starting to create technology that recognises a person’s speech patterns. Facial recognition is starting to catch on as well.
“Our vision is to kill passwords completely,” says Dylan Casey, vice president of product management at Yahoo, which has suffered major security breaches. “In the future, we’ll look back on this time and laugh that we were required to create a 10-character code with upper- and lower-case letters, a number and special character to sign in.”
The question is whether companies will be able to persuade people to switch to biometric log-ins and whether the new technology will prove any more resistant to hackers than the old-fashioned password.
Apple popularised the fingerprint scanner by embedding it in the iPhone four years ago, subsequently baking the technology into the MacBook lineup. Last month, Microsoft started to let the estimated 800 million people who use its Outlook.com, Xbox.com, Skype.com and other cloud-based features log on with a fingerprint scan on their smartphone if they so choose.
The banking industry has adopted some of the most cutting-edge technology. Back in 2014, the British bank Barclays started letting wealthy customers use their voice to verify their identity during telephone banking, and introduced an opt-in version for retail clients last year.
Other banks such as HSBC, Citi and Santander are also starting to let customers use their voices to log into their telephone banking accounts.
Face recognition is becoming more common as well. Lloyds Banking Group announced last month that it would trial Microsoft’s Windows Hello technology, which lets online users log into their web-based accounts by pointing their face at a computer’s webcam.
Is the new technology hackerproof? “We’re very confident that the system is as unique as your fingerprint,” says Simon Separghan, who is in charge of Barclays’ contact centres. “So whether or not people are doing impressions or tape recordings and playing them back, the system has the ability to detect that.”
But Michela Menting, digital security research director at ABI Research, is not so sure. “With artificial intelligence you’ll have machines that’ll be able to clone human voices and maybe be able to pretend to be somebody else,” she says.
Last month, developers from a Montreal start-up demonstrated their speech synthesis tool, Lyrebird, saying it could “copy the voice of anyone” with as little as a 60-second recording.
One of Lyrebird’s founders, Alexandre de Brebisson, says his team’s motivation is to improve speech synthesis rather than anything nefarious.
Could his software be used to fool voice- based authentication? “We haven’t tested our tech on those systems,” he says, “but we would not be surprised that our current technology can already fool those systems.”
Similar concerns have been raised about face recognition. Microsoft says its Hello technology, now available in a range of Windows-based computers and soon to be tested at Lloyds Bank, Halifax and Bank of Scotland, uses infra-red sensors to build a reliable representation of a human face.
The company says the technology can’t be fooled by holding up a photograph.
But in March, reports surfaced that the facial-recognition feature of Samsung’s new Galaxy S8 smartphone could be tricked exactly that way.
Samsung said users have several ways to unlock their phones and that facial recognition can only be used to open the phone, not to “authenticate access to Samsung Pay or Secure Folder”.
Thirteen years ago, Bill Gates predicted the death of the password. It never happened because people cling to old habits and can’t always afford the latest technology.
To avoid alienating customers, banks aren’t insisting that they switch to safer technology but are letting them opt in.
So though cheaper biometric sensors and smarter software have helped improve online security, Menting believes passwords may be around for another 50 years.
“Until we have embedded devices in ourselves that can act as that password,” she says, “I really don’t see them losing the authentication war anytime soon.” Hackers are counting on it.
Our vision is to kill passwords completely Dylan Casey, Yahoo