Using your body as a security shield to safeguard data

Passwords are failing to protect our personal information. New approaches use elements unique to our individual bodies and could revolutionise how we all approach security, as Dave Howell reports

We all think we have strong passwords, but few of us actually do. According to the latest research from Deloitte, more than 90 per cent of passwords are vulnerable to hacking. We all suffer from password fatigue. This isn’t surprising as Janrain recently revealed in a survey that one in ten people have 21 or more different passwords.

Any eight-character password, chosen from all 94 characters available on a standard keyboard, is one of 6.1 quadrillion possible combinations. Human beings struggle to remember more than a seven-digit number. Add in more characters and the task becomes even harder. As a result, passwords tend to follow conventions that the criminal fraternity is all too familiar with.

Unbelievably, the last list of the worst passwords compiled by SplashData had “password” at the top followed by “123456”, “qwerty” and “abc123”. More worrying is that most people never change a password unless prompted to by the service they are using. And the last cardinal sin is writing passwords on Post-it notes, which can easily be copied or stolen.

What this all adds up to is the conclusion that we are all playing Russian roulette with our personal data. Passwords, even when these are used in conjunction with usernames or other systems such as random number generators used by some banks, can’t alone offer the levels of security that are now needed.

“Our survey shows that, like many things in life, people complain about the safety of their information online, but few are willing to take firm steps to protect that information,” says Bill Carey, vice president of marketing at Siber Systems. “In an era where our health information, our purchasing practices, our correspondence, and even information about our family and friends are online, it’s more important than ever to take online security seriously.”

Because of the popularity of smartphones and tablet PCs, it’s likely these devices will be the first to offer biometric technology

And in their current threat report f-Secure succinctly states: “The password is dead and we all know it. But unfortunately, its successor has yet to turn up.” The replacement for the password could be biometrics that have been rapidly developing and falling in cost over the last few years. It is now possible to detect the unique aspects of your speech, how you walk (gait) and even how you type on your keyboard.

Wouldn’t it be great if you could identify yourself, or log on to any website you hold an account with, without having to remember a single password? This is the promise of biometrics that uses the unique aspects of your body as your password.

Take a look at your hands. The most obvious form of biometric identification we all have is our fingerprints, but our bodies have many other unique features that a biometric system could use.

Researchers are now looking at more advanced iris and retina scanning than biometric passports currently use. Another example, palm biometrics is one of the most evolved biometric scanning technologies which is available right now and uses the unique pattern of blood vessels in your palm – which are formed in the womb and never change with age – as a biometric technology that could find its way into airport check-ins, bank cashpoints, and even the checkout at your local supermarket.

From a consumers’ point of view, biometrics could be a godsend. You can’t forget your hands or eyes when you want to shop online. Or if your bank wants to identify you, they could do this over the phone using voice biometric systems. This is already being used by insurance companies that want to detect fraudulent claims made on policies when a claimant calls them.

The question, of course, is can biometrics be trusted with our most personal information? Is a scan of your palm a reliable way of identifying you?

“Biometric technologies can offer a far more efficient and watertight approach to security compared with traditional access control which sees customers using PINs and passwords, with all their well-known potential vulnerabilities,” says Michael Fairhurst, professor of computer vision at the University of Kent’s School of Engineering and Digital Arts, and editor-in-chief of the journal IET Biometrics.

“Biometric data is much more resistant to such compromise and has the major advantage of binding a person to an action or transaction. But, of course, different biometric technologies offer different advantages and disadvantages, and any proposed application needs to be evaluated carefully in order to optimise the choice.”

A wholesale move to biometric technology is a long way off as standards have yet to be agreed and the infrastructure to support this technology isn’t widespread. It’s likely though that, because of the popularity of smartphones and tablet PCs, these devices will be the first to offer biometric technology as a means to protect sensitive and personal information.

According to the National Fraud Authority, the UK currently loses £73 billion per year due to fraud. Biometrics could go a long way to reducing this figure. There does, though, have to be an integrated approach to biometrics – something that has not yet materialised.

However, some innovation is taking place already. The USAA bank in America is offering a voice biometrics app for its customers. Developing countries are also showing the way. “Forward-thinking players, such as Mekong Development Bank (MDB) in Vietnam, have used biometric technology with MDB providing Vietnam’s first fingerprint enabled debit card in 2012,” says Lee Volante, director, business solutions group, Asia Pacific, at Temenos. “The bank found it had trebled its current account base just a few months after launch, with many of its new customers able to open their first-ever bank account because of the sophisticated technology on offer.”

Garry Sidaway, global director of security strategy at Integralis, notes: “The real question with biometrics is ‘where is the liability?’ This is why we haven’t seen any great take-up of authentication brokers. Will Facebook or Amazon, for example, want the liability of being used as your authentication broker? Who will ultimately provide the verification that it is actually your finger on the device? We may get to the point where we do actually go into our banks to register our personal biometric and devices. How would this work in other businesses?”

This is an important point. What is needed is a centralised authentication authority. Without this we could end up in a situation where you would have to give different biometric data to each of the services you want to access, which isn’t that far away from having to remember several passwords. And, of course, the security that this central authentication database would need would have to be beyond reproach as, if your biometric data was stolen, all of your personal information would become accessible.

Biometrics can at first glance seem like an incredibly intrusive technology, as it uses your physical makeup for identification. The reality is that, just like any other security technology in use such as CCTV, we have to weigh the advantages against the levels of privacy we have to give up in order to improve the security we all need when using online services to make payments or to prove our identity when this is needed in the physical world.

For now the use of biometrics has been limited to a few novel products that use fingerprint authentication. However, as the password continues to buckle under the strain that our electronic lives have placed upon it, a new system of identification is needed. Using what is unique about us as individuals offers a chance to develop systems that are robust, user-friendly and reliable.