= Subscriber content; or subscribe now to access all American Banker content.

Will Biometrics Kick Passwords to the Curb?

It's been a bad year for passwords, as attacks on social networks, email services and even shoe stores have proven the weakness of this method of authentication.

Given the vulnerability of usernames and passwords — not to mention the friction of having to use multiple passwords for different programs — new authentication techniques are advancing quickly, such as biometrics and tools that take advantage of technology already existing in newer mobile phones, tablets and laptops.

Researchers at Intel, for example, have developed new mobile tech that combines software with a biometric sensor that recognizes the vein patterns on a person's palm, allowing access to banking sites, social networks and other account-based services.

Sridhar Iyengar, director of security research at Intel Labs, who helped demonstrate the new technology at Intel's recent developer forum in San Francisco, contends that making laptops, smartphones and tablets responsible for identification removes the need for websites to perform authentication via password.

"I wouldn't say that passwords are antiquated, but they are cumbersome," he said. "And the fact that man-in-the-middle attacks have increased as people eavesdrop on passwords…all of this may come to a head," Iyengar said in an interview Tuesday afternoon.

Intel's new authentication method, which is still in development and may not be in the market for another year or so, uses a combination of software and a biometric sensor that's embedded in the computing device. In Iyengar's demonstration in San Francisco, the device was a tablet. Palm prints are used to authenticate the user, because Intel considers palm prints more reliable than fingerprints, which can more easily become stained. Also, the Intel Labs product is contactless, while older biometric sensors require the finger to come into contact with the reader.

Once the user is identified as the computing device's proper user by waving his or her palm in front of the sensor, the computing device can communicate that person's identity to banks, social networks and other sites. An embedded accelerometer senses when the device has been put down, at which point the session automatically logs off.

Iyengar argues the growth of mobile banking has actually made the password vulnerability problem worse. He says Intel research has found that people log into their smartphones more frequently than PCs — about 35 times per day — and often do so from public locations, which are more vulnerable.

Intel says it plans to work with service providers to take advantage of palm reading technology to expand the availability of biometric sensors on devices, and Iyengar says the new versions of smartphones, tablets and laptops are increasingly including the scanning and recording technology that can enable contactless palm screening and other authentication techniques that verify the device's owner before he or she attempts to log into a site.

"The trend is toward adding more sensors to the devices, whether they be cameras, microphones, gyroscopes or sensors, tablets, smartphones and other devices are getting smarter and smarter about determining who you are," Iyengar says.

Other firms, such as InAuth, are also touting biometrics as an authentication tool. In InAuth's case, it's voice biometrics — or recognizing the user's vocal patterns. While biometrics, or the use of a personal characteristic such as fingerprints or voice to identify someone, has existed for years, it's always been considered a frontier technology for mass authentication.

Avivah Litan, a vice president and security specialist for Gartner Research, says that while usernames and passwords aren't going away anytime soon, there's traction for biometrics given the security risks and improvements in enrollment for biometric services. "Usernames aren't considered private data, and passwords are getting compromised more and more. Biometrics is becoming much more palatable."

Other firms are using the actual computing devices as the authentication tool to eliminate usernames and passwords. A startup called OneID has built an authentication tool that replaces usernames and passwords with one digital identity that's stored in the end user's device — a mobile phone, laptop or tablet. The identity would allow banks, retailers and other electronic commerce organizations to recognize the device as belonging to a particular user — so that user would not have to log in to sites for most transactions, though extra authentication for certain transactions could be required.

To build the encrypted identity on the device, OneID uses what's called "public key cryptography," or the downloading of "secret" cryptographic information to a user's device that identifies the user, then creates digital signatures that are accessible by the banking or other site. These digital signatures cannot be used to steal the users' identity, though the devices are still prone to theft, malware or hacking.

OneID, whose backers include Khosla Ventures, with a $7 million stake, did not disclose financial users, but did say it was in talks with a financial services industry group about an endorsement — which OneID said could be announced within the next few weeks.

"Usernames and passwords are designed for the mainframe world of the past. We need a new approach to take advantage of the capabilities that we have on personal computing devices. Passwords are subject to being guessed, and it gets worse as computation gets faster. It's easy to build a machine that can guess passwords at a greater and greater rate," says Jim Fenton, chief security officer of OneID.


(1) Comment



Comments (1)
"The devil is in the detail" is truer for biometrics than any other tech. I hope readers will bear with me while I point out a few complexities and inconsistencies. After all, it is complexity and design flaws that lead to most security problems! We must not gloss over these. To pick a few issues:

- Intel's vein pattern recognition does not actually "allow access to banking sites, social networks and other account-based services". It only authenticates the user to a mobile. It does not remove the need to enroll with the banks, sites etc., nor the need to authenticate the device to teh server, over OAuth or whatever.

- The sub-editor has got a bit carried away suggesting that biometrics will kill off passwords. A more measured view ironically comes from Intel's director of security research and champion of the biometric method, who demurred: "I wouldn't say that passwords are antiquated".

- He said quite rightly that "man-in-the-middle attacks have increased" but we all need to understand that MITM attacks on biometrics are one of the nightmare scenarios.

- The new palm scanning biometric is "still in development and may not be in the market for another year or so". This is not the stuff of serious security. Brand new techniques, hot out of the lab are treated with caution in the infosec community. New algorithms and technologies need to be shaken down, challenged in the academic press and by PhD students, independently tested and evaluated, subject to standards (and new standards developed where necessary) and then finally accredited under banking or government conformance regimes as appropriate. Biometric research is interesting, but it's just like drug research: a new lab breakthrough can take a decade or more to see light of day as a practical and accepted treatment. Reporting these things in the security news pages is often premature.

- "The trend is toward adding more sensors to [mobile] devices, whether they be cameras, microphones, gyroscopes or sensors, tablets, smartphones and other devices are getting smarter and smarter about determining who you are". No biometric ever works with 100% accuracy. in fact 97-98% accuracy is pretty good for biometrics with purpose built sensors like data centre access control systems. With mobiles, when we co-opt a camera (for facial recognition, with no control over lighting conditions) or a touch pad (for fingerprints) or an accelerometer (for gait measurement) the accuracy can become terrible. ut not that you actually notice, because mobile phone biometrics tend to sacrifice security for convenience -- it's very unsettling to be asked by your phone to re-present your face or repeat your voice print too many times -- so you tend not to experience False Negatives ... but by the same token, if yiou lose your phone, you really have no idea how susceptible it is to an attacker cloning your biology.

Stephen Wilson, Lockstep Consulting, Sydney, Australia.
Posted by Stephen Wilson Lockstep | Wednesday, October 10 2012 at 2:56AM ET
Add Your Comments:
Not Registered?
You must be registered to post a comment. Click here to register.
Already registered? Log in here
Please note you must now log in with your email address and password.