One might feel pretty clever by using “letmein” as a computer password, but one would be wrong. According to Splashdata, which keeps track of such things, that is the 13th most common—meaning, 13th worst—password that people use today.
Probably not as bad as “123456” or “password” or “qwerty,” but pretty bad and pretty ineffective. Any mediocre hacker would hack it in seconds.
On the other hand, who can remember “0H!dst47,” especially if you use it maybe once every couple of months for one obscure account, and it’s one of maybe a hundred other password-requiring places?
Heaven forbid you use the same password for all accounts—one successful hack and all accounts are in jeopardy.
And if that one password is “letmein,” forget it..
Passé, the password. Bonjour, biometrics
Passwords as authentication have become such a universal problem that interest in finding alternatives to them has soared in this young year. Earlier this month, at the White House Summit on Cybersecurity and Consumer Protection, one of the major talking points was multi-factor authentication.
Here’s what a fact sheet issued by the White House on this occasion said: “In order to replace the password as our primary means of security online, we must have new technologies that combine greater security and convenience. This technology moves beyond usernames and passwords to employ multiple security steps to better ensure a person is who they say they are.”
Microsoft, which participated in that summit, took the occasion to announce that as part of the development of its upcoming Windows 10 operating system, elements of the Fast IDentity Online (known as “FIDO”) standard will be included.
In its blog, Microsoft says it has joined the FIDO Alliance to help develop “specifications that define an open, scalable, interoperable set of mechanisms that supplant reliance on passwords to more securely authenticate users of online services.”
All of which can be summarized into one word: biometrics.
Biometrics, it seems, is taking the online world by storm.
Juniper Research predicts that more than 770 million biometric authentication applications will be downloaded per year by 2019, up from 6 million this year. A big part of that will be associated with Apple’s Touch ID authentication in concert with tokenization for NFC payments.
Biometric introductions boom
While fingerprint biometrics will dominate in the short term, other forms are likely to emerge, including voice authentication and even ear—yes, ear—print authentication, Juniper says.
Meanwhile there is no dearth of product announcements from manufacturers. For example, Digital Insight, an NCR company, announced an agreement with EyeVerify Inc. to allow customers to use the patterns of blood vessels in the whites of their eyes as authentication on mobile devices.
“The largest impediment to mass adoption of mobile banking continues to be concerns around security. Providing conspicuous, robust biometric security to mobile banking will inspire greater trust among consumers,” says Al Pascual, director of fraud and security at Javelin Strategy and Research, in conjunction with the Digital Insight announcement.
Another example: NICE Systems launched a system for use in call centers that analyzes the voices of callers. According to the company, it uses real-time screening of calls to detect suspicious activity by using voice biometrics, speech and desktop analytics, watch lists, and transactional data. It claims to be able to detect 90% of fraudulent callers in the first few seconds of a call.
Credit cards, GPS, and identity
To be sure, most consumers will become aware of the password issue when they come face to face with initiatives by the credit card companies.
Visa will launch what it calls its “mobile location confirmation” service that matches the location of the cardholder through a cell phone or other mobile device, to the location of the purchase. Consumers would opt in to the service through participating financial institutions’ mobile banking applications.
[This might be deemed biometrics in the broadest sense, because it involves an individual’s physical presence tied to a distinct geographic location. In any case, it provides one more set of data to alert financial institutions about possible fraudulent activity.]
Meanwhile MasterCard unveiled plans to invest more than $20 million in cyber security-related technology enhancements.
To this end this spring MasterCard will launch what it calls the “MasterCard Safety Net,” details of which are vague. All the company says of it directly is that “it provides an independent layer of security on top of the tools and policies of financial institutions, by monitoring and blocking specific transactions based on selected criteria.”
But later this year MasterCard will partner with First Tech Federal Credit Union, Mountain View, Calif., in a pilot program “that will enable consumers to authenticate and verify their transactions using a combination of unique biometrics, such as facial and voice recognition and fingerprint matching.”
Ultimately, it’s about customers, not science
All of which underscore the momentum behind and driving biometrics developments, not the least of which is the theory that such authentication would make life easier and safer for consumers.
The Financial Services Roundtable recently made this very point in a white paper outlining “principles for protecting the payments system.”
One of the key, specific tactics it recommends:
“Bring to market new technologies that enhance payment security including consumer/device coupled verification methods, multifactor transaction completion, brand verification, transaction redirection, biometrics, and tokenization, but also minimize inconvenience and create better customer experiences.”
Eyes, ears, voice, face, fingertips, location, physical presence—these will be the passwords of the future. It will be interesting to see how hackers respond.
Sources for this article include: