windows-lock-caro.jpg

Are Bodies Good Passwords?

Traditional Passwords are Not Secure; Could Biometrics be the Solution?

The current system of simple passwords “have simply run out of steam,” believes Richard Reiner, vice president of technology at Safe Identity within Intel Security. “[Passwords] don’t scale to the situation we have today where every user has dozens or hundreds of sites and apps they need to log in to. [Passwords] can be hijacked easily by malware, and whole databases of passwords are stolen from sites by hackers and then cracked offline.”

Some sites and services such as Google, Facebook and Twitter offer greater security with two-factor authentication, where an SMS authentication code is required along with a password. But Reiner states that “these systems are all a little different, are a little complex to set up and to use, and are only accepted by a tiny percentage of consumers.”

Intel employee Ryan Bell demonstrates a beta version of True Key's facial recognition using an HP EliteBook 850.
Intel employee Ryan Bell demonstrates True Key‘s facial recognition from Intel Security using an HP EliteBook 850.

“A good authentication system is convenient, easy to use, and highly secure,” says Reiner, adding that flexibility is important too to scale between less intrusive authentication methods, such as for casual reading apps, to highly sensitive data protection, such as for banking. “For the newspaper app, it might, for example, know that the user is on her home Wi-Fi network, and use that fact — without bothering the user to type or do anything — to unlock the app.  For the bank site, it might authenticate the user by choosing the best biometric her device can support, whether that is facial recognition, fingerprint, iris scan, or something else.”

Ironically, engineers and scientists have been studying where and how biometrics could augment authentication for more than a decade. According to a 2004 IEEE study, “An Introduction to Biometric Recognition,” there were several factors identified as useful when considering biometrics, including universality, distinctiveness, permanence and acceptability.

More recently, security engineers are now using multiple points of reference for developing new authentication methodologies and systems: what you know, what you have and what you are.

“What you know” is traditional authentication, such as passwords and secrets. “What you have” simply consists of an authenticated device like a key-fob that has changing numbers, a wearable or a badge. The newest entrant is the “what you are” element, which is where biometrics come into play.

Biometric authentication

According to Pablo Piccolotto and Patricio Maller from Intel’s Argentina software design center, there are some clear design principles that must be adhered to when creating new authentication methods using biometrics. Specifically, they must be secure and convenient, non-invasive and not so easy to use that it diminishes the perception of security.

Jason Martin, a security and privacy research engineer working in Intel Labs, believes there are two types of authentication technology having the most promise: human-to-device authentication and device-to-device or service authentication.

“On human-device, I’m very excited about the rate of novel biometric exploration, and the ways in which biometrics are being integrated into user expected flows,” says Martin citing examples such as 3D facial recognition on desktop computers or fingerprint readers on mobile devices. “For wearables we’re seeing new biometrics being explored based upon the biosensing capabilities brought about by even more personal devices.”

Other examples of moving beyond the password include Microsoft’s work on Windows 10 credentials where the password is actually replaced, as well as work by the FIDO Alliance.

Martin also points out that “the ubiquity of smartphones and eventually wearables … opens up the possibility of replacing physical locking technologies.”

The TouchID fingerprint reader on an iPhone can be used to unlock a MacBook Pro using MacID.
The TouchID fingerprint reader on an iPhone can be used to unlock a MacBook Pro using MacID.

A good example of a system that uses these three factors in authentication is an Apple device-only third-party application called MacID. MacID uses a TouchID-enabled iPhone that allows users to unlock their compatible Apple computer using within-range iPhone’s fingerprint scanner. After an initial Bluetooth pairing and password authentication on both devices, unlocking a Mac merely requires fingerprint authentication.

“Biometrics are awesome,” says Kane Cheshire, the creator of MacID. “I know some people don’t agree with them and that they should be used as usernames instead of passwords, but you only have to see the success of Touch ID and the biometric logins that Windows 10 will have to see it’s going to be used more and more in the coming years.”

Similarly, True Key, a new authentication service for consumers from Intel Security, conveniently pairs facial recognition or other biometric identifiers such as a fingerprint, the trusted devices owned or used by a user, and traditional password control to create a profile to allow for easier logging in on password-protected systems.

Challenges

Ramune Nagisetty, principal engineer within Intel Labs who is designing biometric wearables, cites three primary barriers to integrated biometric authentication systems: technology, business and user experience. In order for the technology to be successful, the solutions must be low power, have a small form factor, and work across a variety of devices, she says. The challenge, according to Nagisetty, will be in the sharing of identification and authentication schemes across vertical ecosystems, which could include cooperation between competing companies such as Apple, Google and Microsoft. Lastly, users fear an “Orwellian future,” as Nagisetty puts it, where citizens are monitored and identified en masse, perhaps without their knowledge or acceptance.

Other concerns exist around the fact that it is impossible to change a user’s physiological or behavioral characteristics. What if a fingerprint – something that can’t be changed – is compromised? When using voice recognition, what if a user has a cold or lost his or her voice?

“Multi-factor authentication (MFA) solutions like True Key are the future,” says Reiner. “By providing multiple forms of authentication, with an intelligent policy engine that can make decisions about the best way to authenticate a user with the best possible user experience, while protecting the user with the right level of security for what the user is trying to do, this approach can make users lives easier and more secure.”

This content was originally published on the Intel Free Press website.

About Intel

Intel (NASDAQ: INTC), a leader in the semiconductor industry, is shaping the data-centric future with computing and communications technology that is the foundation of the world’s innovations. The company’s engineering expertise is helping address the world’s greatest challenges as well as helping secure, power and connect billions of devices and the infrastructure of the smart, connected world – from the cloud to the network to the edge and everything in between. Find more information about Intel at newsroom.intel.com and intel.com.

Intel and the Intel logo are trademarks of Intel Corporation in the United States and other countries.

*Other names and brands may be claimed as the property of others.