Your password is terrible – but how secure are the alternatives?
HEADLINES about mass data breaches have become ominously routine, and yet password convenience still trumps security for most people.
That’s why, year after year, the world’s most popular log-on remains “123456”, a password so obvious it accounted for 17% of the 10 million compromised passwords analysed by Keeper Security, which sells a log-in management service.
The answer is to get rid of passwords. Biometric technology – especially fingerprint scanners – has been steadily replacing the need to type in a password, which can easily be guessed by hackers wielding smart algorithms.
Now, with the world increasingly embracing voice-activated devices like the Amazon Echo and Google Home, companies are starting to create technology that recognises a person’s speech patterns. Facial recognition is catching on as well.
“Our vision is to kill passwords completely,” says Dylan Casey, vice-president of product management at Yahoo Inc, which has suffered major security breaches. “In the future, we’ll look back and laugh that we were required to create a 10-character code with upperand lower-case letters, a number, and special character to sign in, much as today’s teenagers laugh at the concept of buying an album on a compact disc.”
The question is whether companies will be able to persuade people to switch to biometric logins and whether the new technology will prove any more resistant to hackers than the password.
Apple popularised the fingerprint scanner by embedding it in the iPhone four years ago, subsequently baking the technology into the MacBook line-up. Now Microsoft is getting into the act. Last month, the company started to let the estimated 800 million people who use its Outlook.com, Xbox. com, Skype.com and other cloudbased features log on with a fingerprint scan on their smartphone if they choose.
By October or November this year “you’ll be able to take your phone, walk up to your Windows 10 PC and just use your thumb print to log into your PC,” says Alex Simons, who’s in charge of products in Microsoft’s identity division.
Cutting-edge
The banking industry, long mindful of security, has adopted some of the most cutting-edge technology. UK bank Barclays started letting wealthy customers verify their identity during telephone banking with their voices back in 2014, and rolled out an opt-in version to retail clients last year.
“Our voice security works by taking a recording and analysing the different voice patterns, the vocal tones, the pitch and the pace,” says Simon Separghan, who’s in charge of Barclays’ contact centres. He said the bank was working to implement the technology into its mobile banking app.
Face recognition is becoming more common as well. Lloyds Banking Group announced in April that it would trial Microsoft’s Windows Hello technology, which lets online users log into their webbased accounts by pointing their face at a computer’s webcam.
Is the new technology hacker-proof ? Barclays’ Separghan says there have been no breaches so far. “We’re very confident that the system is as unique as your fingerprint,” he says. “So whether or not people are doing impressions or tape recordings and playing them back, the system has the ability to detect that.”
But Michela Menting, digital security research director at ABI Research, isn’t so sure. “With artificial intelligence you’ll have machines able to clone human voices and they’ll maybe be able to pretend to be somebody else.”
In April, three developers from a Montreal AI startup released demos of their speech synthesis tool, Lyrebird, which they said could “copy the voice of anyone” with as little as a 60-second recording. They released audio samples of their work, which mimicked the voices of Barack Obama, Hillary Clinton and Donald Trump.
One of Lyrebird’s founders, Alexandre de Brébisson, said his team’s motivation was to improve speech synthesis rather than anything nefarious. Could his software be used to fool voice-based authentication? “We haven’t tested our tech on those systems,” he said, “but we would not be surprised.”
Similar concerns have been raised about face-recognition. Microsoft says its Hello technology uses infra-red sensors to build a reliable representation of a human face. The company says the technology can’t be fooled by holding up a photograph to the lens. But in March, reports surfaced that the facial-recognition feature of Samsung Electronics Co’s new Galaxy S8 smartphone could be tricked exactly that way. – Bloomberg