Tue November 5, 2013
The Most Secure Password In The World Might Be You
Originally published on Tue November 5, 2013 9:22 pm
You're probably well-acquainted with one of life's little annoyances: the password.
Your voicemail. Your email. Your smartphone. Maybe you've got a different one for each — which means you're bound to slip up.
Or maybe you use the same one for everything — a security no-no. The number of sites and services that demand a password or PIN seems to have grown exponentially. And keeping track of the ones you've got? Forget about it.
Well, Silicon Valley titans are getting tired of them, too. At the Tech Crunch Disrupt conference in September, Google's top security executive, Heather Adkins, declared that passwords are dead. And that's straight from a founding member of the security team at Google, home to 425 million email accounts.
Adkins says startups tying their future to passwords might as well give up now, given how much work it takes to keep customers' passwords secure.
But if passwords are a thing of the past, what will replace them?
Wall Street is betting on biometrics. Now that Apple is adding a fingerprint sensor to its newest iPhone, companies that make similar technology have seen their share prices jump. And industry analysts say the market for fingerprint scanners could top $10 billion in the next five years.
Other biometrics companies are looking more competitive as well. Take one of Apple's partners, Nuance Communications, a voice recognition company. You've probably heard their technology if you've called an airline or reserved a hotel room — particularly if you've heard, "Your call may be monitored or recorded for quality purposes."
Nuance Communications is gathering data to improve its voice-recognition technology. The goal is to eventually do away with the whole username and passcode business altogether, says Robert Weideman, one of the company's executive vice presidents.
Imagine a system that will let you tell your bank to pay a specific bill at a specific time, with a virtual assistant responding to your voice commands.
Frankly, it's not quite at Star Trek-level responsiveness right now, but Weideman says it would be much more secure than usernames, PINs and passwords.
For example, he says, it wouldn't matter if someone passing by hears your password, because the system adds another fundamental element to password protection: a voice print.
"That doesn't change, no matter what words I'm saying. It's like your fingerprint. It's that unique," he explains. "There will come a time where you're not going to be using PIN and password as your password. You'll be speaking and touching the device, and that will become your password."
What about fraud — someone trying to fake out the system? Weideman says voice-print technology is getting better all the time at preventing it. "We go through a lot of effort of making sure that people can't spoof it," he says.
Essentially, he says, the system can detect if someone is trying to use a recording to impersonate someone, as, unlike a recording, a true human voice will always sound a little bit different, even when saying the same words.
But privacy advocates are wary. Every few months a company reveals that it has lost or has had millions of customer passwords or other data stolen.
There are even skeptics among biometrics experts, like James Wayman of San Jose State University. Wayman says people have been claiming that biometrics are going to be the "next big thing" in consumer electronics for decades.
Yet good old-fashioned passwords endure, he says, and for a reason: They don't require your computer or phone to have any additional hardware. So PINs and passwords that just require a keypad or touch screen "are very durable in that respect," he says.
And, he says, "they don't need to reveal any personal information about you — they don't need to connect directly to your body.
"We're all told that we should have a different PIN or password for every one of our accounts and that we should change it regularly," he says — which isn't possible to do with a thumb print.
"And then what happens when your computer or your cellphone no longer recognizes your right thumbprint?" he asks. "How do you reset that? What if your right thumbprint no longer becomes usable?
"There are levels of complexity here that have to be carefully examined. This is connecting the authentication with a body. It's your body, and I think that has great implications."
And, let's face it: Consumers are still nervous about this stuff.
But not Michael Barrett. "It's a heck of lot better than where we are now with passwords, which are just a dismal experience," he says.
Barrett used to head up security for PayPal. Now he runs the Fast Identity Online Alliance, a coalition of companies — including Google, MasterCard and BlackBerry — that wants to create industry security standards to encourage password alternatives.
For example, the alliance wants fingerprint scans to be scrambled and then stored locally on a device, so that they can't be pilfered from a central database.
"If somebody wants to mug us, they bash us on the head on the street and steal our wallet or purse. That's an intrinsically unscalable approach to crime. I can't mug 100 million people simultaneously," he says, "whereas on the Internet, there absolutely have been cases where companies have lost databases of 100 million or more consumers' details."
So far 53 companies have signed up for the Fast Identity Online Alliance.
In the meantime, though, you can improve security by beefing up the passcodes you already have. Industry research on stolen passwords posted by hackers shows the most popular one is: "password."