Will Biometrics Kick Passwords to the Curb?

  • Smartphones equipped with context-aware computing can use motion sensors to switch to voice-activated mode. Are bank customers ready for phones that know what they're doing?

    January 1

It's been a bad year for passwords, as attacks on social networks, email services and even shoe stores have proven the weakness of this method of authentication.

Given the vulnerability of usernames and passwords — not to mention the friction of having to use multiple passwords for different programs — new authentication techniques are advancing quickly, such as biometrics and tools that take advantage of technology already existing in newer mobile phones, tablets and laptops.

Researchers at Intel, for example, have developed new mobile tech that combines software with a biometric sensor that recognizes the vein patterns on a person's palm, allowing access to banking sites, social networks and other account-based services.

Sridhar Iyengar, director of security research at Intel Labs, who helped demonstrate the new technology at Intel's recent developer forum in San Francisco, contends that making laptops, smartphones and tablets responsible for identification removes the need for websites to perform authentication via password.

"I wouldn't say that passwords are antiquated, but they are cumbersome," he said. "And the fact that man-in-the-middle attacks have increased as people eavesdrop on passwords…all of this may come to a head," Iyengar said in an interview Tuesday afternoon.

Intel's new authentication method, which is still in development and may not be in the market for another year or so, uses a combination of software and a biometric sensor that's embedded in the computing device. In Iyengar's demonstration in San Francisco, the device was a tablet. Palm prints are used to authenticate the user, because Intel considers palm prints more reliable than fingerprints, which can more easily become stained. Also, the Intel Labs product is contactless, while older biometric sensors require the finger to come into contact with the reader.

Once the user is identified as the computing device's proper user by waving his or her palm in front of the sensor, the computing device can communicate that person's identity to banks, social networks and other sites. An embedded accelerometer senses when the device has been put down, at which point the session automatically logs off.

Iyengar argues the growth of mobile banking has actually made the password vulnerability problem worse. He says Intel research has found that people log into their smartphones more frequently than PCs — about 35 times per day — and often do so from public locations, which are more vulnerable.

Intel says it plans to work with service providers to take advantage of palm reading technology to expand the availability of biometric sensors on devices, and Iyengar says the new versions of smartphones, tablets and laptops are increasingly including the scanning and recording technology that can enable contactless palm screening and other authentication techniques that verify the device's owner before he or she attempts to log into a site.

"The trend is toward adding more sensors to the devices, whether they be cameras, microphones, gyroscopes or sensors, tablets, smartphones and other devices are getting smarter and smarter about determining who you are," Iyengar says.

Other firms, such as InAuth, are also touting biometrics as an authentication tool. In InAuth's case, it's voice biometrics — or recognizing the user's vocal patterns. While biometrics, or the use of a personal characteristic such as fingerprints or voice to identify someone, has existed for years, it's always been considered a frontier technology for mass authentication.

Avivah Litan, a vice president and security specialist for Gartner Research, says that while usernames and passwords aren't going away anytime soon, there's traction for biometrics given the security risks and improvements in enrollment for biometric services. "Usernames aren't considered private data, and passwords are getting compromised more and more. Biometrics is becoming much more palatable."

Other firms are using the actual computing devices as the authentication tool to eliminate usernames and passwords. A startup called OneID has built an authentication tool that replaces usernames and passwords with one digital identity that's stored in the end user's device — a mobile phone, laptop or tablet. The identity would allow banks, retailers and other electronic commerce organizations to recognize the device as belonging to a particular user — so that user would not have to log in to sites for most transactions, though extra authentication for certain transactions could be required.

To build the encrypted identity on the device, OneID uses what's called "public key cryptography," or the downloading of "secret" cryptographic information to a user's device that identifies the user, then creates digital signatures that are accessible by the banking or other site. These digital signatures cannot be used to steal the users' identity, though the devices are still prone to theft, malware or hacking.

OneID, whose backers include Khosla Ventures, with a $7 million stake, did not disclose financial users, but did say it was in talks with a financial services industry group about an endorsement — which OneID said could be announced within the next few weeks.

"Usernames and passwords are designed for the mainframe world of the past. We need a new approach to take advantage of the capabilities that we have on personal computing devices. Passwords are subject to being guessed, and it gets worse as computation gets faster. It's easy to build a machine that can guess passwords at a greater and greater rate," says Jim Fenton, chief security officer of OneID.

For reprint and licensing requests for this article, click here.
Bank technology
MORE FROM AMERICAN BANKER