Graphic showing a man with a yellow t-shirt

Biometrics and privacy: Let your body be your key

Passwords have been essential to the security of our personal information as well as that of large corporations. Now, groundbreaking technologies are striving to transform our bodies into the definitive guardians of our personal data. Will they succeed?

From Facebook to bank accounts, we rely on passwords for almost every type of service we use, but it's becoming increasingly hard to maintain and protect them all. Now innovative technologies are attempting to turn our bodies and even our behaviour into the ultimate protectors of our personal data. Will they succeed where countless others have failed? How will we log in five years from now?

Passwords are the main way we identify ourselves online. They have been essential to the security of our personal information as well as that of large corporations. However, the proliferation of new online services in recent years has highlighted many of the shortcomings of the password system. In this feature we will look at novel alternatives to passwords and try to glimpse into the future of personal identification.

The problem with passwords

Passwords are not new. In ancient times, passwords or watchwords were used by soldiers to distinguish friends from enemies. In the digital age, they are used to grant access to secure systems both on and offline. Passwords are typically a string of characters (6-12 characters are the most common) and are used in conjunction with a specific username or email account.

This security model, based on a username and single password, has proved to be lacking. In 2013, a study conducted in the UK by Ofcom showed that 55 per cent of adult Internet users admitted to using the same password for most, if not all, websites. To make matters worse, over a quarter said they tend to use easy-to-remember passwords such as birthdays or names. Finally, 25 per cent had problems remembering passwords.

This is just half the story. Critical services such as banks are forced to spend millions of dollars each month on IT helpdesk calls for resetting passwords. Password management and control inside large organisations is equally costly.

Security experts tend to agree that passwords have many more drawbacks than advantages. They are rarely changed, too easy to crack and when made more complex are harder to remember. What it amounts to is that passwords have become increasingly easy to hack and ever harder to deal with for both users and companies.

One solution is offered by password management services that can help choose stronger passwords and keep them secure. However, you will still need to remember a password to the management service itself, and if this password is ever compromised, all the others will be compromised as well.

Another method which has been used for years to secure government and other sensitive data is multi-factor authentication. Instead of relying on a password alone, a number of different verifications take place to complete the process. One of the most familiar uses of this method is the ATM, or cash machine. To withdraw money from the bank, you will need both a unique device (ATM card) and a specific password or code.

The three common factors in the multi-factor authentication are: something only the user knows (password, PIN code), something only the user has (ATM card, mobile phone), and something only the user is (personal characteristics such as fingerprint or iris patterns).

Us as passwords

In early 2013, Lenovo and Paypal, followed by other major players in the industry, including Google, Microsoft, Samsung, BlackBerry, RSA, MasterCard and Visa, founded a new consortium – the FIDO Alliance. The aim of this group was to define an open, scalable, interoperable set of mechanisms that reduce the reliance on passwords.

Although it is not clear whether FIDO will become an all-encompassing industry standard for user authentication, the interest of big players seems to contribute to an atmosphere of innovation, specifically in forms of biometrics.

Over the years, a number of different biometric technologies have been developed. In general, biometrics can be divided into two subgroups based on measured characteristics: physiological and behavioural. The first includes fingerprints, voice, iris, face and even the electrical activity of the heart or brain. Behavioural characteristics will typically be measured as a group over time, looking at things such as human machine interactions (keyboard, mouse and touchscreen use), which are unique to each individual.

Probably the best known and most commonly used form of biometrics authentication technology is fingerprinting. The technology – the fingerprint scanner – was developed for police work in the 1970s.

Fingerprints are tiny, unique ridges and valley patterns on the tip of each finger. Although fingerprint scanners have been used for security in laptops for years, the Touch ID sensor technology on the iPhone 5S and the Samsung Galaxy S5 finger scanner brought the real potential (and risks) of fingerprint technology to the attention of the general public.

A short time later, experts demonstrated how they used simple methods to fool scanners and gain unauthorised access. To make matters worse, both devices use the finger scanner to authorise purchases using the Apple App Store or Paypal.

It's all in the eyes

Beyond fingerprints, ocular-based identification technologies (both iris and retinal) have been used by governments for years to secure important facilities and protect sensitive information. However, for the most part these technologies are not widely available since they require expensive and complex hardware and are not considered user-friendly.

Trying to bring an ocular-based identification technology to the mass market, Kansas-based EyeVerify is trying a different approach. The company has developed and patented a technology called Eyeprint ID, which transforms a picture of blood vessels in your eye into a digitally-encrypted key for mobile devices.

When the user wants to access an app or website with sensitive information, all they need to do is take a selfie of their eyeball. If it matches the information on their phone, they are granted access. In order to do that securely, Eyeprint ID reads blood vessel patterns in the whites of the eye that are unique to each individual and contain up to five times more data than fingerprints.

Unlike iris and retinal scanners, which require infra-red light emitters, Eyeprint ID only uses the front camera on a mobile device to image and pattern-match the blood vessels in the eye. The system then calculates a 512-bit, high-entropy cryptographic key from the biometric. That Eyeprint Key is given back to the host application; the biometric never leaves the device nor is ever exposed to the host application.

Once a user has been biometrically verified, a key is sent to the Eyeprint Trust Server. Checks carried out here will confirm that the key has not been tampered with. According to Toby Rush, CEO of EyeVerify, the entire verification process can be completed on the phone in less than two seconds. The target markets are financial services, enterprise mobility management, mobile security, telecoms and healthcare and government agencies. Rush told E&T: "Passwords, like physical snail mail, will never go away completely. But as with email, biometrics is the future of authentication."

Three-factor security

A very different approach to the problem of identification comes from Nymi, developed by the Canadian company Bionym, which was founded in 2011 as a spin-off from the University of Toronto.

Nymi is a special bracelet that has sensing surfaces on the top. It is worn on the wrist and the user must touch the surface with the opposite hand. The device then measures their heart's electrical signal and from there the Nymi is able to capture the electrocardiography, or ECG/EKG, of the user.

After the initial authentication, the Nymi is used much like a watch. It is worn in the morning and taken off before going to bed at night. This ensures the user will stay authenticated as long as the device isn't taken off. Nymi uses a three-factor security system: the Nymi bracelet, the user's unique heartbeat signal and an Authorised Authentication Device (AAD) – a smartphone or device registered with the Bionym app.

Bionym CEO Karl Martin explains that as the Nymi authenticates you, it looks at the shape of your ECG wave and not your cardiac rhythm, so intensive cardiac activity will not affect the authentication process. The pattern may change slightly over a long period of time, but you can update your ECG template to achieve a more robust and secure profile.

Once the Nymi is authenticated, it uses Bluetooth 4.0 to transmit to nearby devices. Theoretically it can open any wireless door lock including that of your car as well as be used for online authentication, which Bionym says makes it a more versatile technology than its competitors. As an extra benefit, the Nymi will provide customisable notifications including emails, texts and social updates, just like a smartwatch.

The concept of Nymi being unique and relatively low in price (under $80 for a pre-order unit) makes it potentially very attractive, but Bionym will have to show a real ecosystem before widespread adoption can occur (something the company is currently working on with international partners).

Behavioural characteristics

Using behavioural characteristics for identification is nothing new. Perhaps the first famous case of behavioural identification is the story of the judgment of Solomon in the Old Testament. The king, in his wisdom, was able to identify which of two women was the true mother of a baby by her reaction to his proposal to have the baby cut in half.

On the other hand, modern behavioural authentication is a relatively new field, with only a few existing players. Two of them come from Israel and, interestingly, both were founded by former members of elite technological units within the Israeli defence forces.

The first is BioCatch, founded in 2010. According to Oren Kedem, VP of product management at the company, the problem with many other types of biometric technologies is that they require some type of specialised hardware (a fingerprint or iris scanner, for example). Some of them also require quite complex initialisation and identification processes, which can be pretty 'picky' (this is particularly true for voice identification in a noisy environment, but fingerprint scanners might also have recognition problems with, for instance, dirty fingers).

Another big problem with conventional biometric technologies is regulation and privacy. In many countries you will need to inform the person that you are collecting their biometric information, what information will be collected and that they will have the ability to ask for this information to be removed from the database.

In this sense, BioCatch gathers very different biometric information that is far less restricting and is not as heavily regulated. Its technology collects information on a person's mouse and touch movements, keyboard typing and other human-machine interactions. These interactions are contextual in nature and'specific to an activity, so your behavioural biometric profile when checking your bank account online will be different from the one you will have if you are on a dating website.

The field of research that is the basis for BioCatch's technology is known as weak machine learning. BioCatch uses no less than 400 different parameters to create each person's unique profile. BioCatch looks for two main factors for each user – consistency and uniqueness. Each factor is weak, but the entirety of the parameters gives a strong specific result.

The system also employs 'invisible challenges' – a technique that makes tiny changes to the way the computer behaves in response to a user interaction (a slight cursor movement for example), which the user automatically corrects in a specific way, allowing the software to gather behavioural information and distinguish between person and robot.

The BioCatch team believe that passwords are not going to disappear from the web any time soon, but that their technology can help to serve as a secondary persistent line of defence against fraudsters and cyber-criminals. Passwords (and stronger multi-factor authentication methods) may stop unauthorised entry to your account, but once you are inside, there is very little they can do to stop a Trojan already in your system. BioCatch's technology continually tracks your activity and can sense any foul play immediately, responding accordingly.

Many banks and other online services have what is known in the industry as step-up authentication – a system that tracks login attempts from unusual locations, or transactions that look suspicious. It then sends the user an approval request by email, SMS or some other form. According to BioCatch, about 20 per cent of step-up authentications fail and there is a very high percentage of false positive misidentifications. These errors and problems cause losses of hundreds of millions of dollars each month for every major US bank and, unsurprisingly, this is one of the most important target sectors for BioCatch at the moment.

The second Israeli company working on behavioural biometrics is SecuredTouch, founded in early 2014. This firm's technology focuses on touch interactions for behavioural authentication. In a world where the use of mobile touch-based devices is increasing, its backers see a great opportunity for their generic approach, which is completely transparent to the end user (unlike BioCatch, they do not manipulate users' input and rely on passive data collection only).

The current SecuredTouch product was created for continued monitoring – a similar concept to BioCatch, but with a sole emphasis on mobile and touch. The company is considering a login solution that will be based on its proprietary algorithms and will be able to eliminate the need for passwords – at least for some applications.

SecuredTouch's target market is enterprises: companies that want to boost internal and external security for their services. Cloud services in particular – anything from Facebook to Dropbox – are good matches to the company's continued monitoring approach. Chief executive Yair Finzi explains: "Most biometric companies are giving you solutions that are comparable to the lock on your front door. We will give you the in-house alarm."

Are passwords dead?

Can some kind of biometric authentication (possibly as part of a multi-factor authentication system) really replace those old hackable, forgettable passwords? Some people argue that a biometric is just a long password that is intrinsically impossible to change and hackers will use the same tactics they already use (and possibly new ones) to break in, but now they will be able to access every single account you have – for as long as you live.

Not all specialists will agree with this argument; while at its core security is a game of cat-and-mouse and every type of security can be broken eventually, it's all a matter of time and effort.

Most experts we talked to agreed that passwords will not go away in the next five years. However, many services will use multi-factor authentication based on biometrics in one form or another. On mobile devices, our experience might very well be almost entirely password-free.

Further information

Recent articles

Info Message

Our sites use cookies to support some functionality, and to collect anonymous user data.

Learn more about IET cookies and how to control them