Passwords are broken. Most people pick crappy passwords, and that inevitably leads to trouble.(We're looking at you Sony Pictures.) Good passwords are basically impossible to remember. Heck, even the dude who invented passwords thinks they're a total nightmare. The time to kill the password is overdue, and thankfully there's some promising technology that will enable us to do that quite soon.
There are a number of ways to improve cybersecurity with a password alternative. They run the gamut from weird wearables that listen to your heartbeat to sci-fi-inspired iris scanners that look deep into your soul. Spoiler: Iris scanners are actually awesome.
So who will win the great honour of slaying the password? Well, it's worth pointing out that the password itself isn't the only thing that needs slaying. The entire security infrastructure that we use now — entering a string of characters to grant access to computers or accounts — is fundamentally flawed. For now, some password alternatives simply offer a way to let you streamline that process by skipping the tedious input part. Other, more promising options challenge the very principles of verification.
To get a clear picture of the best path forward, let's look at the merits of the near future technology that promises to end the need for passwords. From there, it will be pretty obvious which ones actually make sense.
Who doesn't love wearables? Everybody's talking about them. It's 2014, and you can strap a computer to your body. In 2015, you'll be able to strap an Apple computer to your body. This is a very futuristic and terribly trendy thing to do, so clearly there are security companies trying to capitalise on the fad.
A number of different companies are taking a cue from the fitness tracker industry by building devices that literally let you wear your password or personal ID on your wrist.
One Jawbone-inspired design called Everykey recently got tons of press — despite the fact that it does not yet exist — for promising to unlock everything, from your Facebook account to your front door. The product's Kickstarter page claims that the wristband "utilizes military grade encryption" to store passwords for your devices on the devices themselves and your web passwords on an encrypted server. The wristband then transmits the encrypted data via Bluetooth to grant you access.
Transmitting encrypted data is certainly an improvement over typing "password" into the password field. Wearing a gadget just so you can log into your computer more securely sounds like a bit of a pain, though. It's also not super secure. A nosy lover could just snatch the dang thing off your wrist while you're sleeping and read all of your email. Everykey says you can call to deactivate the wristband if it's lost. BUT WHAT IF YOU'RE ASLEEP?!
Of course, there are other password-killing wearables out there, some of which have considered this sleeping sneak attack idea. One is this Canadian startup that uses an ECQ sensor to measure the unique electrical activity of your heartbeat to verify your identity. That gets us a little bit closer to a truly effective verification system. But it's still a little hokey and involves a bracelet that nobody wants to wear.
Password-killing fingerprint IDs
When Apple announced Touch ID — and more so, its availability with third party developers — a lot of people in the security world freaked out a bit. Finally, the oldest, most dependable method for identifying individuals would become the standard on the marquee mobile device! Their ardor is not without cause, but it's also not entirely warranted.
Let's just get this out of the way: Fingerprints don't offer the most secure way to lock down a device. More importantly, fingerprint readers are hardly infallible. They're better than passwords but ultimately leave something to be desired because, well, you leave fingerprints all over the place that could possibly be used to dupe the reader.
Because of its tiny size and sophisticated capacitive sensor, Touch ID is a particularly advanced implementation of fingerprint-scanning technology. It's still not perfect, though. As you might recall from the weeks after its release, however, people had a lot of trouble with Touch ID at first. Then, we heard about how Chaos Computer Club hackers could easily bypass the TouchID security by simply photographing the user's fingerprint on a piece of glass. The same hackers have done a number of tests to show how easy it is to trick fingerprint readers in recent years.
Still, to say that fingerprint readers don't offer a better way forward than conventional passwords would be disingenuous. Indeed, if fingerprint readers offer anything, they offer convenience. Just tap or swipe your finger on a sensor, and you're in. As much as a decade ago computer manufacturers like IBM realised how the added convenience and security would be a great way to win new customers. "What was once considered sci-fi technology is now available to all enterprises, large and small, in the notebook of choice for everyday business," IBM's Fran O'Sullivan said when the company's first laptop with a fingerprint reader hit the market.
Fran was right about the sci-fi bit, but IBM didn't nail the security bit. The thing is, when you install extra-secure hardware, you have to back it up with extra-secure software. As recently as 2012 — a full eight years after IBM introduced the concept — security researchers found that the software that supports one of the standard and most common fingerprint readers for Windows laptops contained a serious weakness. The reader was supposed to enable the user to avoid typing in a password and just scan the finger instead. The problem was that the software basically stored the passwords in plain text, where any half-talented hacker could access them.
Like typed passwords and wearables, fingerprint readers still sacrifice security for convenience. They're slightly more secure and slightly more convenient. But inevitably, they're not as secure or convenient as a password killer should be.
Password-killing facial recognition software
Now we're getting warmer. While fingerprint reading technology technology has become pretty good in the past few years, facial recognition software has gotten great. The idea of using computers to recognise human faces dates back to the 1960s, but this year the technology used in the process hit a noteworthy peak. Facebook announced that its internal facial recognition tools were "approaching human-level performance." That's insane.
It seems like you can't turn around these days without hearing about some new application for facial recognition software. It's being used by Facebook to help you tag your photos, by gas stations to target ads, and by the FBI to catch criminals. The FBI system, known as the Next Generation Identification (NGI) program, will eventually include over 52 million individual faces and enhance law enforcement's ability to identify and store fingerprints. It cost about a billion dollars to build too.
So if the FBI's using facial recognition, it must be a secure enough solution to replace passwords, right? Actually, no not really. As with any technology, there's a huge range of quality when it comes to facial recognition software. Facebook's well-funded proprietary facial recognition can identify whether two faces in side-by-side images are the same person with an impressive 97.25 per cent accuracy. (Humans do it with 97.5 per cent accuracy.)
The FBI, however, isn't as picky. Documents revealed last year that the agency will accept a false positive rate as high as 20 per cent. Along those lines, the FBI is happy if its NGI program identifies a face a minimum of 85 per cent of the time. That's a lot of room for error on both ends. In general, facial recognition is far less dependable than even fingerprints when it comes to correctly identifying individuals.
This is all to say that facial recognition technology is improving at an impressive rate, but it's not yet flawless. There are apps and whatnot that use facial recognition as a security gate, though it's hard to shake the fact that they don't work as well as a fingerprint reader would. And it's also worth mentioning that a lot of people remain very sceptical about uploading their biometric metric details into a database, especially their face. Because, you know, it's creepy.
Password-killing iris scanners
Speaking of creepy, iris scanners are now a thing that you can buy and use instead of passwords. This may sound like your typical holy-shit-Minority-Report-is-coming-true horror. It's actually a pretty exciting step on the path to a future with no passwords.
Iris scanners — not to be confused with retina scanners — are insanely accurate. In fact, they're just as unique as fingerprints and 10,000 times less likely to produce a false positive than facial recognition technology. The only thing more accurate is DNA. And while security researchers have been able to trick iris scanners by using contact lenses imprinted with a fake iris pattern, the scanners can easily combine other verification techniques, even facial recognition. Iris scanner technology is improving so rapidly, it's now cheap enough for consumers.
One of the more exciting devices on the market now is called Myris. This $US280 gadget looks like one of those hockey puck-shaped iMac mouses from the late '90s, but when you flip it over, there's a convex mirror surrounded by cameras and sensors that looks a little bit like a less colourful HAL.
It connects to your computer via USB and basically serves as a gatekeeper for any application or website you assign to it. From bank accounts to Facebook profiles to networks themselves, practically anything can be secured with Myris. Meanwhile, the biometric data about your irises is heavily encrypted and stored on the device itself to keep it out of hackers' reach.
Once you set up the software side of it — most security is still password-based so you have to associate the device with the appropriate accounts and passwords — Myris is stupid simple to use. When prompted, you just hold the HAL-looking side of the device up in front of your face. If the device verifies your identity, a light turns green, and you're in. The company says it's "as easy as looking into a mirror," and it's not exaggerating. There's actually a little mirror to look into.
It's not the only eye-scanning device in line to slay the password. Last month, Myris teamed up with the Wistron NeWeb Corporation (WNC), a Taiwanese firm that manufactures computers for companies like Acer and HP. As soon as next year, we could see laptops with iris scanners built directly into the hardware. So instead of picking up a device every time you needed to enter a password, you would just glance towards your laptop's webcam.
That sounds awesome, but eyeball scans still feel creepy. If you can get past that and get excited about how accurate and secure they are, you can start to see the password-free future the technology could usher in. Imagine sitting down at work and simply looking at the screen in order to log in to your computer and all of your accounts — all of them. No need to remember a stupid string of characters or fiddle with a fingerprint scanner. Your digital identity is finally, simply you.
Illustration: Tara Jacoby