Let’s just admit it, passwords suck, people don’t use good passwords. Password breaches seem to be the new normal. This new normal is forcing firms to find new ways of verifying their users and securing their data. Now, security firm Trustwave says traditional password policies are useless.
According to an article
at Infosecurity Magazine the Chicago-based firm says mixing upper and lower case letters, numbers and special characters don’t make passwords any harder for hackers to crack, only increasing the number of characters makes passwords more secure. Will we end up with 1,024 character secure passwords. I say let’s ditch passwords altogether.
What else can we use to secure our IDs? John Hawes at Sophos Naked Security Blog recently bemoaned the state of the clunky, fiddly, and mostly rather insecure passwords we use for almost all of our authentication needs. He says we may not be stuck with passwords forever. He offers some future options.
You are the proof
Facial Recognition – The author cites Australian researchers who have been promoting facial recognition as a means of authentication. This idea seems obvious, faces are the main way people identify each other in the real world, so it makes sense to have computers recognize our faces, or at least bits of our faces. The Sophos article says the approach has become common of late, with PC login systems and mobile apps trying to use our faces to authenticate us to various things. There is even a Finnish company that plans to use faces in place of credit cards.
The anti-malware firm says facial recognition systems have proven less than perfect, either easily fooled by photos, similar-looking people, or technical tricks, or failing to authenticate real users thanks to bad hair days or bad moods affecting how we look.
Mr. Hawes says University of Queensland researchers are trying to improve the accuracy and security of facial recognition. The Aussies are working to be able to get facial recognition to work from a single initial still image and from different angles and different lighting conditions, which sounds like a must for any decent recognition system.
The good thing about face recognition, the author says is that it’s relatively low-tech, using a standard part (the rear-facing camera) of most of the devices we use. The software looks for patterns on the human face, such as distance between eyes, to identify people. But the researchers expect it will take more time to have a fool-proof working prototype.
CNN points out that security is great for consumers, but it’s not the primary goal of most facial recognition tools. Law enforcement and spies are building databases (PDF) to take advantage of recent advancements in facial recognition. Identifying one person using their trail of selfies left online and in surveillance footage from stores could be a huge business. Some stores already use facial recognition to build profiles on repeat customers and collect data about how they shop.
Facebook (FB) recently bragged that its own facial recognition project named DeepFace was almost as accurate at detecting people as the human brain. More recently, it also claimed to be able to recognize faces from the side as well as the front.
Ears – CNN reports that with the right software, a phone can detect the shape of a human ear and use it to log in. That’s the idea behind the Ergo Android app by Descartes Biometrics. When an ear is pressed against the screen, the points where it makes contact with the glass are mapped out and compared to a stored ear print. If it matches, the user is authenticated. The app is adjustable and can require multiple scans for the highest levels of security.
For now, it’s limited to unlocking a phone. But CNN claims ear prints could be used to identify people for any number of uses on the phone, such as making purchases in app stores or signing into services.
Walking – CNN says that if you’ve ever identified someone by how listening to how they walk down the hall, you’ve already seen the power of gait recognition. For 30 years, researchers have tinkered with gait-recognition technology but the recent boom in inexpensive motion sensors like accelerometers and gyros have given new life to the field. CNN reports that with the right software and sensors, they should be able to analyze a person’s walk. A wearable fitness device or smartphone can act as a password to authorize users.
The benefit of gait recognition is that it can gather the necessary information in the background while people go about their normal routines. There’s no need for the subject to touch their device or look into a camera.
Things you do are proof
Typing – Like walking, typing varies from person to person according to CNN. Keystroke biometrics record how a person types and calculates their unique pattern, speed, and rhythm. It determines how long they hold down each key and the space of time between different letters. Keystrokes could be used to authenticate anyone working on a computer. This system could appeal to companies that are watching out for unauthorized users on their internal systems.
Gestures – Gesture-based authentication is another potential password replacement emerging from the world of smartphones and tablets. Mr. Hawes says hand movements repeated often enough can lead to muscle memory, so quite complex patterns can become quite easy to reliably and accurately reproduce. This is the basis of a very venerable form of authentication, the signature. It should be harder to compromise though, as, unlike signatures, swipes leave few traces to be copied.
An
droid phones have long had swipe-pattern unlock features, and Microsoft (MSFT) Windows 8 includes a system based on a few swipes around a picture. Research has poked some serious holes in this approach though, showing that people are just as bad at picking hard-to-guess shapes as they are at choosing passwords.
Besides monitoring your body to authenticate you, there are hybrid authentication technologies. Hybrid authentication combines biometric factors with other techs.
Brain waves – I covered the Interaxon Muse headband sensor device a while ago. It is designed to allow users to create a specific brain wave signature for a password that will never have to be said or typed to log in.
Biostamps – The biostamp idea proposed a hybrid of body and technology. The biostamps are flexible electronic circuits attached to the skin, which theoretically can communicate your password wirelessly with any device which needs to check who you are.
Bracelets – Another hybrid approach uses a bracelet device that measures heart rhythms to check who we are, and then connects to our devices via Bluetooth to pass on that confirmation. I covered Nymi here.
The actual authentication takes place only when the bracelet is first put on. It requires a quick touch of some sensors, and from then on it will confirm you’re you until it’s removed. It includes motion sensors, so the basic authentication can also be combined with movements and gestures to create multi-factor passwords, using both the body and the mind of the attached user. Gestures could be used to unlock cars, for example.
Over the years the password systems we use have seen various improvements, both in usability (ranging from simple but today’s indispensable systems for replacing forgotten passwords to the latest secure password management utilities) and security, for example, two-factor authentication schemes using dongles or smartphones combined with our computers.
All have helped in some ways, but have also introduced further opportunities for insecurity – recovery systems can be tricked, management tools can have vulnerabilities or simply be insecurely designed, and two-factor approaches can be defeated by man-in-the-mobile techniques.
rb-
Biometrics are not bullet-proof. They have a number of problems still.
- Biometric data cannot be changed once it is compromised.
- Will stress, fitness, or aging, have on the physiological elements of biometrics.
- Cost, most of these techniques require new equipment.
- They all need connectivity, Bluetooth connectivity.
- Biometric data still needs to be stored somewhere. And that would be an attractive target for attackers.
Related articles
Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedIn, Facebook, and Twitter. Email the Bach Seat here.
Let’s Encrypt, an initiative to set up a free certificate authority (CA) on the Intertubes has entered its public beta phase. All major browser makers including Google Chrome, Mozilla Firefox, and Microsoft Internet Explorer trust Let’s Encrypt certificates. In their announcement Josh Aas, the executive director of California based Internet Security Research Group (ISRG), which runs the Let’s Encrypt service, wrote:
Let’s Encrypt is overseen by folks from Mozilla, Akamai (AKAM), Cisco (CSCO), Stanford Law School, CoreOS, the EFF, and others. Let’s Encrypt was first announced in 2014, (rb- Which I covered here). motivated by a desire to steer organizations towards the use of encryption to protect their communications. A key part of the strategy is offering free digital certificates, which is a radical departure from the very hefty premiums that certificate authorities typically charge.
Let’s Encrypt plans to distribute free SSL/TLS (Secure Socket Layer/Transport Layer Security) certificates, which encrypt data passed between a website and users. The use of SSL/TLS is signified in most browsers by “HTTPS” and a padlock appearing in the URL bar. Unencrypted web traffic poses a security risk. For example, an attacker could collect the web traffic of someone using a public Wi-Fi hotspot, potentially revealing sensitive data.
The automated issuance and renewal protocol prevents oversights resulting in certificates for live websites expiring, a situation that does happen from time to time. FierceSecurityIT says that short-term certificates also offer better security by reducing exposure in the event that the private keys are stolen.
Phishing scams are spam emails sent by cyber-criminals that can lead to identity theft at home and data breaches at work. Phishing attacks pretend to be from a legitimate person or organization to trick you into revealing personal information. A phishing attack begins when a cyber-criminal sends an email that looks like it originates from your bank.
