Passwords are a cornerstone of the various security deployments that MSPs put in place for their customers. Password technology, however, has changed little since the dawn of the modern computer age. How long before the password is replaced with something more secure? It depends on who you ask. Recent developments at research labs and corporate campuses across the globe are changing the future of passwords. SmarterMSP recently spoke with some of the top experts in the password protection field so that you can be informed on the latest developments in biometric authentication systems.
Last week, we looked at some of the pros and cons of current biometric methods for replacing the outmoded password. This week SmarterMSP is visiting the big question: will the password will ever be replaced entirely? Most experts tell SmarterMSP that biometrics will continue advancing and complementing passwords, but they are unlikely to become extinct.
Is the password going away?
“That is not how it works. You will always have two-factor authentication requirements. Biometrics and a password, or some other token like your smartphone,” says Katina Michael, professor in the School of Computing and Information Technology at the University of Wollongong in Australia. Michael has studied the issue of password security, and asserts that smartphone authentication methods employed today hold the key to the future of identify requirements.
“Dependent on the application context, we may witness more deployments of biometric recognition. Certainly, we have seen more biometrics be adopted for simple tasks like clocking on and off at work. We are seeing ATMs now, in countries like Jordan, using iris recognition, and even retail food outlets like KFC in China using kiosks based on facial ID,” Michael tells SmarterMSP. Think of the facial IDs as “security selfies” to authenticate. It would be hard for anyone to get an order of your chicken strip snack box if it’s tied to a selfie.
“Security has more to do with how a system is implemented, like whether or not a system can be duped as opposed to the taking of a live scan. Biometrics by their very nature are unique and generally can detect differences, even in identical twins. But it all depends on the level of security you are trying to attain,” Michael says pointing out that that as biometrics goes live and reaches a broader audience, most of these implementations are untested. Would they pass the test against criminal hacks? What level of accuracy and reliability of identifying a person do they provide? Doubtful clearance-level security is needed for those chicken strips, but it wouldn’t work for safeguarding sensitive information.
Passwords with a heart
A scientist at the University of Buffalo has won plaudits for his work at creating biometric authentication that goes well beyond simple retina and fingerprint scans.
“The heart scan is non-contact biometrics with the cooperation of users,” says Wenyao Xu, associate professor of computer science and engineering, at the State University of New York-Buffalo. Xu says fingerprint and retina scans require the user to cooperate, which then curtails the application in continuous and non-invasive authentication.
“Heart scan is a silent watcher and can be used for continuous authentication, rather than having users re-enter their password or credentials every two minutes,” Xu says. This, he explains, is a more secure way of entry and could be the beginning of many new applications.
“The heart scan can enable many new applications, such as identifying the people through a wall, continuously verifying the user,” Xu says. This technology might have applications in the military, for example.
But it gets better. Xu is also on the cutting edge of devising ways to scan the brain for authentication. And here’s the big leap: cancellability. The drawback – some say – about biometrics is that it is non-cancellable.
“If Biometrics is compromised, we cannot grow a new fingerprint or heart. My recent work on brain password provides the first cancelable biometrics using brain response,” Xu says.
“If Biometrics is compromised, we cannot grow a new fingerprint or heart. My recent work on brain password provides the first cancelable biometrics using brain response,”
The “brain password,” which would require users to wear a headset, could have implications in banking, law enforcement, airport security, and other areas. Xu says that the brain password measures your brainwaves in response to a series of pictures. Like a password, this is easy to reset, and ease-of-use is simple.
“To the best of our knowledge, this is the first in-depth research study on a truly cancelable brain biometric system. We refer to this as ‘hard cancellation,’ meaning the original brain password can be reset without divulging the user’s identity,” according to collaborator Zhanpeng Jin, associate professor of computer science and engineering.
But even these advances leave many individuals unswayed that passwords should be retired.
Michalis Kamprianis, the global head of cybersecurity for Geneva, Switzerland based SGS, shared that replacing password systems with biometrics is not something he would advise. Combining them, resulting in multiple factor authentication is significantly better. The technology behind biometric recognition is not very mature. For passwords we know that tested and scrutinized mathematical functions are used to guarantee no false positives.
“Biometric systems, on the other hand, rely on recognition of something that is not so well defined as a password string. Then pattern matching, and statistical algorithms are used to identify the source to a set of potential matches. The maturity is not there yet to guarantee a high level of accuracy, especially for more modern methods than fingerprint and iris scanning,” Kamprianis explains.
The take away from all of this, is to hold onto your passwords for now. But someday, they might y all be in your head. Literally.
Photo: metamorworks / Shutterstock.