What Will Replace the Password?

If you think people have too many passwords, you're right. The 2012 Online Registration and Password study, conducted by Harris Interactive, found that 58% of online adults have five or more unique passwords for varied logins - and 30% have more than 10 unique passwords they need to remember. How annoying is that? The survey also found that 38% of people would rather fold laundry and scrub toilets than come up with new passwords.

"The security value of a password is limited, if not negligible, because many people are interested in convenience. You will reuse the same password in many places......we need to transition away from the way we've been doing things since the 1960s," says Al Pascual, a security, risk and fraud analyst for Javelin Strategy & Research.

Analysts say web crooks have ample malware that can intercept passwords for identity theft, and that's before the consideration that most people use the same password for different logins, which expands the security risk.

"The problem with passwords is they are easy to steal. If you have a strong password, or have 100 characters, it's still easy to steal these days," says George Tubin, a senior security strategist at Trusteer.

Tubin suggests one way to combat the threat is to use the smartphone as an authentication device, in combination with other devices such as the PC. "There's not one single silver bullet. If you are coming in via the PC, you can authenticate to the site via the phone, and perhaps link biometrics into the mobile device. You can link voice biometrics or face biometrics...it's in the baby stages right now."

Even though many password programs include "grading" that tells the user how "strong" the password is, consumers tend toward unintended vulnerability. "The user wishes to have an easily used and remembered credential; they would use 1234 as a password if they had the option to do so. The user's incentive is the opposite of the security incentive. The security team would rather have a 16-digit random password," says Andy Rolfe, chief technology officer at Authentify.

Rolfe says the way to move beyond passwords, which are pretty well established in our culture, is through a step-up approach. "What I mean is we take the username and password as it is today and move to a second factor, or a step-up authentication for certain high risks and high-value transactions," he says, adding these "step ups" - which can include mobile apps accessed by biometrics - gradually become the primary method of authentication. Biometrics, or as some call it, bring your own ID, is a key component to strong authentication.

The technology does pose challenges. Biometrics can't be used by everyone. "You have certain segments of the population that may not be able to use biometrics. They may not be able to speak or may not take a proper photo [the right resolution for facial recognition] or may have a minimal fingerprint. There may also be restrictions by policy or regulations as to what you can use in terms of biometrics. That's where multi-factor is quite important."

 

 

ING FIGHTS PASSWORD CREEP

In 1999, around the time that everyone was chasing Y2K - a problem that really wasn't a problem - ING Direct Canada was working on a real issue: password creep.

"When we launched our transaction site, we said there has to be a better way than passwords," says Charaka Kithulegoda, senior vice president and chief information officer of ING Direct Canada.

The idea was the bank would develop a biometric mouse that would light up when the user entered his or her client number. The mouse would read the person's fingerprint to confirm the customer's identity. "The pilot worked, and the technology worked. But what we realized was we were ahead of our time," says Kithulegoda. The technology was expensive, and there were hardware compatibility issues, so eventually the project was dropped.

For years, companies have wanted to use something besides usernames and passwords to authenticate users. The idea that entering your first name, a period, your last name, and a series of letters and numbers is a stable, reliable way to protect identity in an age in which people have numerous relationships that rely on web-enabled connections, has been tottering on the edge of validity for a long time.

ING Direct Canada is now building new identification methods for an industry that's changed a lot in the past decade. Account aggregation, mobile apps, social networking and alternative payments are all maturing quickly, as are security threats. Millions of new strains of malware are created each year, placing mobile and online bank accounts at risk.

ING Direct Canada believes the supporting systems and bank customers are more ready for biometrics than they were 12 years ago. "With the proliferation of mobile and the consumerization of IT, the stigma of biometrics has faded, and the technology has come a long way," Kithulegoda says. "With mobile, most devices have a very high definition camera that's in the device. You don't need a special device anymore for biometric authentication."

ING Direct Canada is currently piloting facial recognition for authentication, and it's working with Computer Sciences Corporation on the technology.

The user thinks he or she is taking a picture with the mobile device, but actually the smartphone is in video mode and is taking multiple frames in a short period of time. The video has an algorithm that recognizes a "likeness" in the image that it's capturing.

"At the end of the day we are focusing on four things: something you have, which is the computing device, something you know, which is your PIN, something you are, which is your face, and somewhere you are, which is your GPS location," Kithulegoda says.

He says the geolocation function of the smartphone places the device at the point of sale, or within a reasonable distance from the point of log in.

 

 

LAYERED APPROACH AT PAYPAL

PayPal is similar to a lot of the companies that we spoke with for this article: it doesn't like passwords all that much, considers them less than safe, and is in the market for something better such as biometrics - as long as it's workable with the authentication systems used by its partners, which is the current challenge.

"The short answer is yes, we're interested in biometrics at PayPal. We don't have anything that I can announce, but we're interested," says Michael Barrett, chief information security officer for PayPal.

PayPal offers a range of layered authentication options right now, with the newer additions designed to augment password identification.

The PayPal Security Key creates random temporary security codes that safeguard accounts at log in. There are two choices, including a security key that's a small credit card sized device that creates a unique security code; and a mobile phone security key that delivers codes by text message. PayPal's security includes email authentication, in which the company identifies itself via an Iconix app that produces a gold lock with a check mark next to the sender's logo for emails from PayPal. PayPal has long offered security tokens, which create new numbers every 30 seconds that are required for registration. The idea is that if the number is stolen, a crook can only use it for 30 seconds.

But it's always looking to improve the ID system. "From our customer's perspective, when you zoom out to the highest level, they want a solution that's easy to use and secure. People on the IT end tend to say if ID authentication is easy to use on one end it's less secure on the other. Many of the classic two-factor solutions [add friction] to the registration process and we don't subscribe to the model," Barrett says.

When it comes to handicapping biometric options or picking an entirely new way to authenticate users in the future, Barrett says it's hard to pick a winner at this point, given the proliferation of companies that offer them. He has a staffer on his team who is responsible for tracking leaders and laggards in the authentication space.

"If you looked at 2005 or 2006, there were about 20 vendors in the space. That number has gone up by 10 to 12 per year, so we're now over 100 vendors," Barrett says.

That growth is part of the problem with replacing passwords. If you think telecoms, banks and handset manufacturers having different mobile payment technology causes interoperability problems, consider the lack of standards or best practices posed by 100 competing biometric companies, many of which have only existed for less than ten years.

"They are all for the most part reasonable solutions, but they are so fragmented. There are a hundred solutions, none of which are interoperable with each other. It's a horrible market right now," Barrett says.

For the shorter term, Barrett sees promise in TPM chips (trusted platform module, which secures cryptographic keys and random number generators) where consumers can store a PIN. If the right PIN is entered, the TPM chip is unlocked and opens up to fingerprint, video recognition or biometric or sensors that are embedded in many newer models of PCs or mobile devices.

"I have an iPhone in front of me. How many sensors are on it? Counting them up, I have 16. If a phone has that many sensors on it, you can do a lot in terms of determining if the user really is who he or she says there are," Barrett says.

These sensors also include geolocation and other clues that can inform a profile of the person logging into the company's site - clues that can trigger fewer or greater layers of authentication, whether that be in the form of biometrics or something more traditional like a challenge question.

"There is a ton of contextual information around users' behavior patterns, such as 'what location are they logging in from, and is that similar to locations for other transactions?'" Barrett says, adding that can provide red flags for added authentication for some transactions, while allowing others to go forward with less intrusion.

As Barrett plots PayPal's next phase in user ID and security, he's also waiting for new guidance from the European Central Bank that will come out early next year. The FFIEC, which issued guidance several years ago that more or less standardized layered authentication for internet banking, is also updating its guidance for mobile banking. Either of these regulatory developments could pressure banks to adopt a posture toward authentication that could nudge migration toward voice biometrics, photo ID and behavior-based authentication.

"The regulators are getting more interested in authentication, especially in the financial services space," Barrett says. "For financial companies who are regulated by European regulators, this guidance could be a game changer like the FFIEC guidance [on dual factor authentication] was here in 2005 and 2006," Barrett says.

 

 

WHAT CAN REPLACE PASSWORDS?

Nobody is predicting that passwords are going to be eliminated entirely within the next two to three years. But there are ways to make authentication less cumbersome, more secure, and more reliant on a person's broader use profile - location, relationships, and his or her computing device - than on an impersonal series of letters and numbers.

BTN spoke with a number of tech developers and analysts who discussed how these new tech options work, and how likely they are to become standard practice for employees at banks.

 

FINGERPRINTS

Using fingerprints to prove your identity is one of the more common types of biometric authentication, and is already being deployed by a number of financial institutions.

Discover is working with Natural Security, a French biometrics company, to test a fingerprint payment system with about 300 employees. The staffers will use their fingerprints to pay at participating convenience stores and at the employee cafeteria. The payment information and fingerprint are stored on a key fob that the user carries. In an interview in early December with BTN's Sean Sposito, Troy Bernard, Discover's global head of emerging payments, said the technology could eventually help with online banking, internet payments and web purchases.

Other adopters of fingerprint biometrics include ANZ Bank, which is exploring how fingerprint biometrics may replace PINs.

 

FACIAL RECOGNITION

At one time, the use of a photo to identify a person was one of the more awkward forms of authentication, given issues of privacy; the perception that people would not want to constantly have their picture taken to enter buildings or to access a web site.

The enabling technology was also too scarce to make this form of biometrics scalable. But the growth of smartphones, particularly phones with cameras, is changing the game for facial recognition in a couple of ways. First people are taking more pictures, and are accustomed to using their phones to do so. And secondly, it makes facial recognition a "bring your own" proposition, which handles the scalability problem.

Ram Pemmaragu, chief technology officer of Strikeforce, says the smartphone is the key vessel that will allow identity technology to graduate beyond static passwords, as well as the hard token-based authentication systems that many financial institutions are currently using. Strikeforce has developed a platform that supports eight different out-of-band authentication methods - relying on a mix of hard tokens that people carry and soft tokens that are embedded in mobile devices.

"We see the phone as enabling a one-time password with biometric features. You can use facial recognition this way. Every phone has a camera," says Pemmaragu, who says the company is also working on fingerprint authentication that can be accessed via sensors on mobile devices. "The phone will someday be the main authentication device, and we'll be able to go beyond the one time passwords, and use the biometric capability to manage the actual phone," he says.

These capabilities are forward looking, but not that far out. "It may take a couple of years. When biometrics gets embedded into the mobile phone, it will make it easier to use it to get into other applications," Pemmaragu says, predicting fingerprint biometrics will probably be the first to be used widely, followed by other methods. "We're probably looking at two years or so."

There are some lingering privacy concerns with facial recognition. The Federal Trade Commission in October issued a report on best practices for facial recognition, saying that business should take steps to protect consumer privacy as they adopt facial recognition. The FTC says companies should also take steps to make sure consumers are aware when facial recognition technology is being used, hinting at opt in.

 

VOICE RECOGNITION

In this biometric option, users authenticate themselves by speaking words or phrases and having the vocal patterns matched against those stored in a database.

"Voice biometrics can be a way to replace the knowledge-based questions that banks typically use to authenticate people in contact centers," says Shirley Inscoe, a senior analyst at Aite Group.

National Australia Bank fits this use case. In late November, the bank said it would use voice biometrics to allow customers to access bank accounts by using their voices. It's currently using the technology for call centers, but may eventually extend usage to ATMs. Speaking at a media event in Sydney at the end of November, a representative of the bank said the system saves about three minutes on the phone and reduces the fraud threat. Instead of asking for a password or security questions, the technology, which was developed by Telstra, authenticates users by listening to their voice.

And Wells Fargo uses voice authentication in its wire room to spot people who have committed fraud in the past by comparing incoming callers against a database.

 

IRIS SCANS

The argument for using eyeballs for authentication is their uniqueness and sustainability. The average iris has more than 2,000 unique attributes that don't change during a person's lifetime. It's also a form of biometric security technology that's been widely used for some time.

Government agencies such as the Department of Defense have used iris scans to identify staff at the Pentagon, and Bank of America has used iris scans to identify staff at its Charlotte headquarters. Many DMVs also use iris scans in their drivers' license centers. Inscoe says iris scans are among the most popular forms of biometrics that she hears about when speaking with banks, along with voice prints and facial recognition.

 

PALM PRINTS

In this method, the fingerprint is supplanted by the entire palm. One of the big advocates of palm print identification is Intel Labs, which is developing a new authentication model around it.

Intel uses palm print software and a biometric sensor embedded in the computing device to identify the user and the device. That in turn opens up access to social media sites as well as other account-based sites such as banks. The argument is the palm is a better mode of authentication because it's more reliable than fingerprints. And in the case of Intel Labs, the palm is read remotely at a short distance, rather than actually coming into contact with the reader.

In an earlier interview with BTN, Sridhar Iyengar, director of security research at Intel Labs, which will work with service providers over the coming years to incorporate sensors into their technology, said making laptops, smartphones and tablets responsible for identification removes the need for websites to perform authentication via password.

Another form of "hand related" biometrics is signature verification, in which a digital signature executed on a pad is measured and compared to a signature stored in a centralized database, using factors such as speed and pressure on the pen. Other, older versions of "hand biometrics" include users placing their hands on an actual reader, which measures the shape of the hand, such as width and length of fingers.

 

DEVICE FINGERPRINTING

Computing devices themselves can also be "fingerprinted," which aids in authentication.

ThreatMetrics, a device ID company, says there are several ways to "fingerprint" a computing device. Fingerprinting most commonly refers to the measurement of a browser, operating system and connection attributes to generate a risk profile of a device. There are a couple of ways to do this, including installing software on the device or using a remote profiling server. These programs can identify a device by tagging browsers; using HTML, JavaScript or other methods to profile based on screen resolution, browser type, time zone, language and media supported; deploying HTTP fingerprinting that extracts types of compression supported and language; profiling connection information to determine the operating system used to connect to the Internet; and the accumulating information on the type of connection services. In a separate interview in mid-December with BTN's Penny Crosman, Wells Fargo executive vice president Steve Ellis said the bank has built a version of device fingerprinting that uses an IP address and physical location to identify a user.

 

MOBILE IDENTITY

Most of our interview subjects mentioned the mobile device as the key to biometric adoption and other forms of advanced authentication, as people use biometrics tied to mobile devices to access services - or use the devices to authenticate themselves in another channel. "It's something we're starting to call bring your own ID," says Michael Versace, a research director at IDC Financial Insights. "The bank is going to start to identify people not by their user ID and password, but by your behavior."

In the case of "bring your own ID," the prevailing "something you have/something you know" ID paradigm grows to include "something you are." The three will eventually combine to enable risk-based authentication.

The same mobile technology that's being used for marketing - such as geolocation and transaction history - can also inform risk-based authentication. "We know where a person usually logs in from and what he does - such as check balances, move money or make a bill payment. That behavior defines your ID. What if there's a log in or activity that's different? Your ID is used to create policies directly related to your behavior," Versace says.

For reprint and licensing requests for this article, click here.
Bank technology
MORE FROM AMERICAN BANKER