Few things in the world are more frustrating than the Forgot Password process. Not only does it come when you’re trying to place an order on Amazon or check your Facebook notifications but hackers have proved time and again that even the strongest password is a mere speed bump on the way to stealing someone’s identity. The good news is that 2015 could finally be the year that less frustrating, more secure alternatives come to market.
Facebook, Google, Bank of America and dozens of other trusted institutions have made it possible for users to sign in to their account using two-factor authentication. This is a broadly defined process that forces users to prove their identity twice -- for instance, by entering a username into a website then entering a four-digit code transmitted via text message.
Two-factor authentication is far more secure than the traditional login process. In fact security experts have suggested that a number of major hacks -- including the one on Sony Pictures -- might have been avoided if executives had taken just one extra step.
In a world where convenience is king, though, two-factor advocates have largely been shouting to an audience that’s not listening, even as the preventable hacks keep coming. Increasingly, companies are investing in biometric research, banking hard on the idea that the future of online credentials lies within users’ individual human characteristics.
Everyone Hates Passwords
Just about the only thing everyone can agree on is that the password, as we know it, must die. Studies have frequently shown that users still use easy-to-hack codes such as “password1” and “123456” to protect even their most sensitive information. Websites know this but have been reluctant to disrupt users’ peace of mind, even if they’re providing a false sense of security.
Cybercriminals have any number of tools at their disposal to infiltrate a target’s computer or online account. Phishing, spear-phishing, brute-force attacks, keystroke software and other methods all go after one point of vulnerability: the password.
“If you look at the 500 [million] to 600 million websites managing the identification of users with a login and password, the keyboard has been the same Qwerty layout for 140 years,” Emmanuel Schalit, CEO of password-encryption company Dashlane, said. “Most humans are lazy. Hackers do something very simple in that they just rely on the assumption that people use common passwords.”
You Body, Your Password
So, what's being done about it? Two words: Bluetooth and biometrics.
Security companies have discovered that there’s nothing like a headline-grabbing hack to rouse corporations into protecting themselves. Security firm MicroStrategy, which counts eBay and the U.S. Postal Service among its customers, offers Bluetooth software that makes it possible for employees to unlock their laptop without even touching it. Using Bluetooth, the laptop simply identifies if a customer’s iPhone is nearby before activating itself.
Mox Weber, senior director of product management at the mobile security company, explained that it's also developing new identity-verification tools that would advance the fingerprint scanners already available on Apple and Android phones. The company’s goal is to replace passwords and ID badges with mobile identity badges contained within users’ smartphones.
“You can configure it to require a biometric challenge or a passcode challenge, or both,” he said. “That depends on the amount of friction you want to introduce. We don’t think anything of walking through a doorway with an ID badge but there’s a little more squeamishness around high-value systems where you’d want to provide a second-factor challenge.”
There are also face and voice recognition options, though the option that’s been the subject of no small amount of fascination is the geofencing restriction, which makes it impossible for computers outside a direct radius to access the network.
“I could set it up so you can only log in to this particular application if you’re within 50 meters of a headquarters building,” Weber said. “Or at a certain time, I can limit logins to working hours. Those add more potential constraints.”
Computer Behavior As ID
But wait -- the password isn’t dead yet. Researchers predict that Internet users of the future will access their devices with some combination of a password and physical identifier. This kind of multimodel system is the subject of ongoing studies, in part because it would provide easy security and, by keeping passwords around, Internet companies don’t overwhelm users with totally new ways of logging in.
A January report from Juniper Research found that more than 770 million biometric authentication apps will be downloaded each year by 2019, a huge increase from the 6 million downloads forecast for the mobile phone market in 2015.
Adoption is already underway. Government contractors, the FBI and the CIA have been pushing the hardest, but universities have also been ramping up their investments as online courses become more popular. If they’re awarding diplomas, the logic goes, they better make sure the person who receives it is the same one who earned it.
All it takes is software that monitors behavioral metrics. A student might need to enter his password, for instance, then pass a facial recognition or fingerprint test before starting to answer questions on a quiz.
But their typing and mouse movements will also be monitored throughout. If a student appears to hold down the keys when typing for longer than normal or if the software detects that they’re left-handed vs. normally being right-handed, the test will stop automatically. The same goes for mouse movements, or any other innocuous activity that appears to be out of the ordinary.
“It’s been shown that the way you interact with your devices is unique. If I know your typical mouse pattern, I can identify if it’s you or a different user,” Roman Yampolskiy, associate professor and director of the cybersecurity laboratory at Louisville University, said.
He added that while it is possible to falsify certain biometrics, the increased level of security could spark technological innovation that’s never been possible before. Exactly what, though, and how long that will take is impossible to guess.
“Depending on how important the access to information is, that’s when we start to require people to have a lot of extra information,” Yampolskiy said. “It’s still very much an open area of research.”