Biometrics Could Make Passwords Obsolete
Passwords are often shared and easily compromised. Common access cards or security tokens can be stolen. In the quest for the ultimate in information security, nothing beats biometrics for proving you are who you say you are.
Fingerprints, iris scans and facial recognition technology aren’t fool proof, but they’re considerably harder to fake and can be combined to offer even stronger security. And except for rare situations – as in the case of blind users or those missing hands or fingers – biometrics promises fool-proof authentication without the memory challenges of juggling a dozen or more complex passwords.
Defense Department Chief Information Officer Terry Halvorsen recently defined his dream authentication system at the Defense Systems Summit in Arlington, Va.: “In an ideal world today, we would 15 factors that we could actually check for identity,” he said, emphasizing he’s not committed to the number 15, but rather to the notion of examining many factors at once. “On any given day – randomized – we could be using five or six of them. … Things like biometrics, behavior metrics, probably some data metrics, but all those combined.”
Biometrics identification is already here and increasingly affordable. “In the past, biometrics have depended on proprietary data formats and very expensive end-device sensors,” said John Callahan, chief technology officer at Veridium, a biometrics specialist. “Now we have a universal platform with powerful sensors and powerful processing: It’s the cell phone, and that’s where the revolution in biometrics is going to take place.”
New online apps like Clef let developers turn smartphones with fingerprint sensors into security devices, employing phone cameras to prove users are present at the computer they are using to log in. The system generates a temporary, encrypted code that is destroyed within about 30 seconds, so there is no secure information stored on the device. Combine that with a phone’s fingerprint sensor and it’s clear smart phones can become powerful authentication tools without the limitations of memorized passwords.
A new international biometrics standard released last year, IEEE 2410, establishes uniform protocols for exchanging biometric information between smart phones or stand-alone biometric readers and central servers. Having an open standard will allow vendors to share protocols and use their development resources for unique services.
“With an open standard each protocol can go through public review to confirm that it is viable and secure,” Callahan said. “That is imperative.”
Choosing which biometric factors to use is still a matter for debate.
Mario Savvides, director of the Carnegie Mellon’s CyLab Biometrics Center, isn’t optimistic. “Fingerprints are being widely used, but they have a negative stigma,” Savvides said. “Every time people use a fingerprint sensor they feel like they’ve done a crime.” Smudges and scrapes can also easily invalidate a fingerprint.
“I lean toward iris scans,” Savvides said. “It is more secure, in the sense that you are less likely to do anything that might change your iris.”
Both fingerprints and iris scans – or a combination – could relieve cyber-addled workers of the burdens of remembering all those passwords so they can spend their time focused on mission, and not just accessing their systems.
For mobile devices, security and privacy are a concern, especially if the solution requires a mobile device to store and verify a fingerprint or other scan with a server in the cloud. But fingerprints do not have to be stored in the cloud, notes Stan Tyliszczak, chief engineer at General Dynamics Information Technology. “The fingerprint can be stored on each individual’s cellphone, so the authentication takes place at the cellphone itself, rather than through a centralized database. Once a user authenticates to their phone, it can then exchange login information using Bluetooth or some similar short-range connection.”
One example: Microstrategy’s Usher replaces passwords and keycards with a digital badge that lives on users’ smartphones. It can be configured to authenticate users with Bluetooth proximity, digital keys, individual QR codes – or the phone’s built-in fingerprint scanner.