Text passwords are unsafe, fingerprints and retinas can be faked. So how do you make an unbreakable password? A Canadian inventor is developing a biometric monitor that fits inside a shoe that he says is unhackable. Doors open for you — and nobody else. Richard Lui and Bob Sullivan report on technology that will change digital security forever.
By Bob Sullivan
It's been a rough year for passwords.
The leaks also proved something experts had fretted about for a while: Passwords are very easy to guess. Analysts quickly compiled results from the list of passwords and found that really dumb choices abounded. The most common phrase in the LinkedIn passwords, for example, was "link." Not far behind was "1234."First, 6.5 million LinkedIn passwords were leaked online. Soon after, millions of passwords from eHarmony and Yahoo users were published by hackers. These events exposed untold numbers of accounts to criminals, as many consumers use the same passwords across multiple accounts.
For years, you've been hearing about space-aged authentication systems like retina scans and computers that recognize your voice. And yet, for the overwhelming majority of computer users and home and at work, simple user/password combinations are all that stands between their data and the bad guys.
This old-fashioned system has obvious limitations, the most evident being user memories. Our brains are ill-suited to recall eight-digit combinations of letters, numbers and special characters that are recommended. Sticky notes with password lists taped to computer screens remain common.
Meanwhile, "Forgot your password?" is among the more popular links on websites, and among the more dangerous, as it often puts only your pet's name and your high school mascot -- easily determined from Facebook -- between your data and hackers.
There has to be a better way. And there is, if Carnegie-Mellon University and a small Canadian start-up firm are right. At the school's new "Biometrics Research and Identity Automation Lab," researchers are investigating whether the way people walk can be used as a simple yet secure way to affirm their identities.
“The continuing threats to military personnel and critical infrastructure and the growing national cybersecurity vulnerabilities demand a new breed of credentialing technology, and what our group has achieved certainly puts a whole new spin on things," said Todd Gray, president of Ottawa-based Autonomous ID, which is working with the university on the project. The system uses a "BioSole" inserted into shoes to assess a wearer’s gait, matching that distinctive pattern against an existing record to verify the person’s identity.
BioSoles are among dozens of new authentication systems vying for acceptance in a thriving industry that has gained momentum because of the recent troubles with passwords. Before we describe more of them, it's important to discuss the basics of authentication technologies and why new systems might succeed where others have failed.
Security professionals often talk about "two-factor" authentication as a way of double-checking to see if a person logging into a system should be authorized. Traditionally, those two factors include "something you have" and "something you know." For example, a debit card is "something you have,” and a PIN code is “something you know.” For a criminal to hack your bank account, he or she must have both elements, which is a much harder challenge than simply stealing a password.
Biometric passwords expand the possibilities into the "something you are" category. A retina scan or fingerprint, for example, authenticates users based on something they are, and, in most cases, cannot change. Biometrics have a decided advantage over passwords because they don’t relyon users’ ability to remember them -- you are who your retina says you are. There is a dramatic downside, however. Horror films have long exploited the plot line where a bad guy cuts out a target's eyeball and uses it to log into a computer or enter a secure facility.
Matt Rivera / NBC News
Facial pattern recognition maps are on display at Carnegie Mellon's CyLab.
The newest technologies retain the advantage of biometrics, but don't create the same level of physical risk. They involve "something you do," such as the way you walk, as being researched at Carnegie Mellon. Another similar tool involves quantifying the unique way users type, a technique that's been dubbed "keystroke analysis." These so-called "behavioral" authentication mechanisms give systems architects four distinct methods to choose from.
Marty Jost, who works in Symantec Corp.'s authentication group, says he thinks behavioral techniques offer the most promise for next-generation "passwords."Another promising new behavioral technique takes advantage of a skill most video game players know well -- users learn behaviors that become automatic through play. Later, they can recall these learned behaviors – they can recognize patterns, for example -- without having to think about them. Researchers at Stanford and Northwestern are working on a system that would "teach" users to recognize a pattern of dots in a puzzle-like picture, then have that puzzle serve as a password. As writer Devin Coldewey notes, the most secure password might be the one a user doesn’t have to remember.
"Biometrics have been around a long time, but have historically tended to be unreliable. Just when you need it most, your fingerprints are dirty and they don't read right, for example. That's what's held it back," he said. "The key to success is providing a second factor without making it difficult to use. When you try to use an exotic method, it becomes a different problem, such as a customer service problem or a user satisfaction problem."
Symantec is concentrating on behavioral techniques that don't require dramatic changes by sers. For a while, token-based authentication procedures were all the rage -- banks and corporations gave users small gadgets that provided temporary passwords to prove the person logging in satisfied the "something you have" requirement -- but users often misplaced them. So now, companies like Symantec are increasingly using cell phones as tokens. A simple text message or phone call sent to an employee’s phone serves as a second authenticating factor.
"Users are much less likely to lose their phones," Jost said.
Symantec also concentrates on back-end behavioral techniques, such as observing the kind of activities the user is attempting. A user who normally logs in from New York but suddenly appears to be logging in from Hong Kong is flagged for extra security challenges. Similarly, a user who usually transfers small dollar amounts from one account to another is flagged if her or she suddenly requests a $10,000 transfer.
"Behavioral data over time develop a profile," he said. “We can analyze these patterns without having to involve the user.”
Jost is pessimistic about what he calls "exotic" login tools for mass audiences, because even a small failure rate can create a big problem for consumer brands.
"If you are a bank and you’ve done something exotic, if it’s not working for 1 percent of people, that's a lot of people,” he said. “We try to strike that balance between strength and usability. … We do things that make the activity safer for people without them necessary even knowing about it."
A user’s tolerance for taking extra security precautions depends on motivation. Some "exotic" methods are already in use today where circumstances encourage their use. In high-crime areas of Brazil, for example, "vein printing" machines that detect blood flow patterns in the palm of a user’s hand have been deployed. In the U.S., where ATM theft rates in the U.S. are not published by banks, the American Banking Association recently said that a successful ATM crime nets more than 10 times the cash as a traditional bank hold-up, and it hopes U.S. banks adopt one or more advanced ATM protection technologies.
Meanwhile, facial- and voice-recognition systems like Samsung’s “Face Unlock,” and Apple’s Siri mean consumers are getting used to biometrics in their everyday mobile lives, and they might be more tolerant of similarly imperfect technologies at work and at home.
“I do think voice has a real shot now,” she said. “Who wants to carry around a token that might weigh more than your iPhone?”Avivah Litan, a security expert at the consulting firm Gartner, thinks that the move to mobile computing holds the key to the future of passwords. As users perform more and more critical functions with their mobile device – such as mobile banking – authentication methods will have to change with the times. So-called “out-of-band” authentication techniques, like text messages sent to web users warning that their accounts have been accessed, are clumsy to use in concert with mobile banking. So Litan thinks that, finally, mobile users will tolerate a biometric technique that they are already very comfortable with – talking.
The big hurdle with voice printing is “enrollment,” or getting an initial clean version of a users’ voice that’s used for comparison purposes later. Techniques for mass enrollment are still under development, but cell phone carriers are in a unique position to do this easily when they sell new phones, Litan noted.
“It would be easy for them,” she said. “But there are plenty of other ways this could be accomplished.”
But despite the technological advances, the crime and all those leaked passwords, are passwords really on the way out? Jost isn't so sure.
"I certainly think the awareness of the problem is rapidly growing," he said. "It's quite easy to guess (passwords) … and by using other types of systems you can overcome that problem. Is this a turning point or not? I'm not really sure. But I hope so. It is a problem that gets bigger and bigger."