In at least half of the many articles I read covering new cybersecurity threats, I see the same advice given: change your passwords! It’s good advice, of course. But when I try to take inventory of every account I have with some website or email provider or app that needs to be changed—and with fresh, unique passwords, no less—the task quickly evolves into a huge chore. (I already know that my workstation neighbor will read this and call over to me, “Use LastPass!” Sadly, Justin, LastPass is not impregnable.) Lately, however, a new solution has been growing in popularity, and promises to provide both security and convenience: biometric authentication.
Quick Overview of Biometric Authentication
Instead of entering a password, biometric authentication verifies your identity by checking your unique biological information. Common biometrics include fingerprints and iris scans. The idea is that these characteristics are completely unique to you and, in theory, much harder to hack. Furthermore, it would potentially eliminate the need to change your passwords every few months, and even the need for two-factor authentication.
Biometric authentication is already in widespread use. Apple’s latest iPhones are perhaps the biggest example; once scanned, you can unlock your phone with your fingerprint. But researchers are looking into other biometrics that may prove to be better forms of authentication.
Heartbeat & ECG Data
Researchers at SUNY Binghamton recently developed a method of using patients’ heartbeats to protect their electronic medical information. It’s actually more than the heartbeat, though. Mobile health devices can collect your electrocardiogram (ECG), which is a measurement of the heart’s electrical activity.
ECGs are more useful for authentication; heartbeats change speed often, but your ECG has a signature based on your heart’s unique structure. Zhanpeng Jin, a professor in the department of electrical and computer engineering at Binghamton, says, “The existing studies on ECGs have proved that the ECGs are quite unique by nature among different individuals.”
It’s also quite convenient, as wearable health devices are becoming ever more popular and there is a growing need to transfer health information electronically. Whereas traditionally this data transmission has been vulnerable to attack, a patient’s unique ECG data can be used to secure their medical records. The devices also already record ECGs anyway, so the energy impact is minimal.
The problem is that ECGs are changeable. They can change with physical activity, mental states (e.g. stress), age, etc. But while they’re not yet poised to become a common biometric for authentication, they are ready to be used as a secondary one.
Typing & Speech Patterns
Google has been working on development of what they call Project Abacus. Essentially, Abacus uses information gathered from your phone’s sensors along with things like your typing and speech patterns to establish a “Trust Score.” The Trust Score is the probability that whoever is trying to unlock the device is indeed the owner. Google could use Abacus not only to unlock the device, but individual apps as well.
A couple of things about this project pique my curiosity. First, how accurate are the sensors? Suppose I begin typing something, and then pause to do something else—would that significantly affect what the device determines to be my pattern? Second, how forgiving is the Trust Score? It’s a fine line to walk; naturally you wouldn’t want anyone but you unlocking your device. But I can also imagine a frustrating scenario where the device determines that you are unlikely to be… you.
While Google had planned on handing the API over to developers by the end of 2016, I haven’t found any news that they have done so. I’m curious to see how well Abacus will work.
Many forms of biometric authentication revolve around a trait that is unique to you, but unchangeable. This means that if your biometric data is stolen, it can’t ever reliably be used again.
Cheung Yiu-ming, a computer science professor at Hong Kong Baptist University, has come up with a biometric solution that still lets you change your “password” as many times as you want: lip motion passwords.
Lip motion passwords work because even the way you say a certain word or phrase is unique and can’t be perfectly mimicked. With this solution, you say your password aloud while your device’s integrated camera watches the motion of your lips and checks it against what’s on record.
There are a couple of nice advantages to this method. For one thing, you’re able to change your password over and over. But since it still relies on something unique to you, you could say your password in public without worrying who sees or hears. It’s also possible to combine lip passwords with another form of biometric authentication, such as facial recognition.
One more advantage is humor potential, as Twitter user @wmaxeddy demonstrates:
— Friend-Entity Max Eddy (he/him) 🐀 (@wmaxeddy) March 21, 2017
Issues with Biometric Authentication
Unfortunately, biometric authentication isn’t a perfect system. Many have proven that they’re actually easier to hack than passwords, since the data is subject to all current attacks and was never designed to be secret.
Actually, attackers have already figured out how to bypass many current biometric solutions. For example, Jan Krissler used high-resolution photos of the German Minister of Defense, Ursula von der Leyen, to overcome fingerprint authentication. He also bested Apple’s TouchID technology the day after it was released—using a fingerprint smudge left on the iPhone’s screen. That’s like leaving a post-it note with your password on your computer monitor.
The problem is that the sophistication of attacks progresses just as fast as security technology. For example, in 2015, Barclays started using technology that scans users’ fingers not for their fingerprints, but for their veins. Sounds pretty foolproof, right? But within a year, Swiss researchers bypassed even that by using image-processing techniques.
There are also much bigger repercussions for stolen biometric data than for stolen passwords (though this may be because of the value we put on it as a perfect identifier). Biometric data is extremely personal and unique… in theory. But if someone steals it, they can use it to falsify things like legal documents and criminal records. You can’t do that with someone’s password alone.
Remember when social security numbers were a reliable identifier? But now hackers steal them by the million. Not to mention we give them away for more and more things—I’m still incredibly uncomfortable that I have to give my social security number to a bunch of non-government people every time I want to rent an apartment.
Hopefully biometric data doesn’t go down the same route and can be perfected before it’s exploited beyond repair.
For more cybersecurity articles, follow @Plixer on Twitter.