Text-based usernames and password pairs should be replaced with biometric credentialing, such as vein recognition and ingestible security tokens, suggests Johnathan LeBlanc, PayPal’s global head of developer evangelism, in his Kill All Passwords presentation.
Celebrities have been mortified, Sony Pictures Entertainment brought to its knees, and Home Depot sent scrambling to EuroPay Mastercard Visa’s chip and pin earlier than mandated. Had biometric authentication been in place to protect the targeted parties, one or more of those cyberattacks would have been locked out at the gates.
Each major security breach reminds the public of the importance of strong passwords, but most people still use predictable passcodes, according to LeBlanc. The reason for the predictability is that people simply forget passwords.
The top five passwords of 2014 were “123456,” “password,” “12345678,” “qwerty” and “abc123,” according to his presentation. About 7 percent of online account holders combine usernames with “password,” while about 14 percent choose one of the top 100 most-used passwords. Roughly 91 percent use at least one from the top 1,000.
So What Do You Suggest, Sir?
Many people find it difficult to remember a face from a crowd, but machines have been able to discern facial differences for decades.
Most consumers are familiar with fingerprint scanning, and Hollywood has depicted retinal scanning as a futuristic authentication method, but there are a host of other ways to ID an individual based on bodily characteristics.
Some of the biometric authentication techniques LeBlanc has been promoting include brain implants, ingestible security tokens, vein recognition systems and body scanners.
With chips implanted in their brains or tokens floating around in their guts, users would be free to simply get close to a terminal to confirm their identity. “Please tilt your head and lean in closer to log into your account.”
While LeBlanc and others have been preaching wider adoption of biometric authentication, it’s unlikely we’ll see an end to username and password pairs any time soon, said Richard Stiennon, chief research analyst IT Harvest.
“I don’t get excited by new authentication mechanisms,” he told the E-Commerce Times. “There are literally thousands of solutions. No new solution is going to fix the problem.”
There is a place for biometrics in cybersecurity, but the technologies currently are too segmented, Stiennon maintained. On top of that, there likely will be a continuing need for multifactor authentication, and the most probable fallback would be a passcode of sorts to confirm the identity transmitted from those cranial tokens.
“There could be specific applications for every type of authentication … but they are not fixing the username/password problem,” said Stiennon. “That problem will be with us, forever.”
What’s Stopping Widespread Chip Implants
Three major issues have been hampering the widespread adoption of biometric authentication, according to John Zurawski, vice president of marketing at Authentify.
A lack of sensors powerful enough for end users, deficiencies in the understanding of authentication strength, and the baseless belief that a specific piece of biometric tech no longer will be viable after suffering a hack are the main concerns, he said.
However, some of those problems have been melting away.
“The proliferation of latest-generation smartphones has solved the sensor problem,” Zurawski told the E-Commerce Times. “The microphones, camera lenses and touchpads have improved significantly over the last few years, as has the processing power of the devices themselves.”
As for which of LeBlanc’s suggestions could be viable in the mainstream, it would be simpler to rule out which biometric technologies end users may be unwilling to use, Zurawski suggested.
Ingestibles, for example, aren’t likely to gain widespread adoption beyond use in pets, in his view.
However, consumers have embraced facial recognition — “the security selfie” — and emerging analytics technologies have been poised to merge into the mainstream, Zurawski said.
“These biometrics — or perhaps more accurately ‘cybermetrics,’ when layered with other authentication tools such as a facial scan, a voice biometric and possession of a trusted mobile device — combine to deliver strong multifactor authentication,” he noted. “Strong authentication that would be less obtrusive than chip implants.”
In the end, it all comes down to that multifactor authentication and consumer comfort.