Password Alternatives: Will Biometrics and Cryptography Become the Successors to Passwords?
“I have to keep track of like 50 passwords. I could seriously rattle off 50 passwords right now.”
Despite his good memory for them, Hugo Villalobos isn’t a fan of passwords. He’s an IT support analyst at Built In, which has 150 employees, including myself. The requirement for employees to frequently update passwords makes for a lot of forgetfulness — and annoying interruptions.
(In fact, about 15 minutes after finishing my first draft of this story, I forgot my latest Gmail password and had to ask Hugo for help. The timing was poor.)
Why password alternatives?
Passwords are the type of security measure known as a “shared secret.” Your Gmail account knows the secret, and so do you — until you lose that password-filled sticky note or make an absentminded update.
“If you forget your password and can’t get into your computer, how many hours are you not working? Now multiply that by 250,000 employees at a company like JPMorgan Chase,” said Bojan Simic, CTO at New York City-based cybersecurity startup HYPR. “They spend hundreds of millions of dollars every year just on the productivity loss that’s associated with lost or stolen credentials.”
So, with so many problems stemming from our use of passwords, why are we still using them?
“I would say it’s just inertia,” said Alexey Khitrov, founder and CEO of New York City-based biometrics company ID R&D. “Any change typically meets some resistance.”
All authentication methods hinge on either what you know, what you have or who you are, Khitrov said, citing industry lingo. Passwords are about what you know, but the password alternative methods steadily replacing shared secrets rely on the latter two approaches.
What you know
The main problem with shared secrets is precisely that they’re shared. You know your Gmail password, and so does that application, so there is double the opportunity for it to be lost or stolen. But within that problem lie three smaller problems.
The first is that applications have to store all those username-password combinations somewhere. That means websites and apps have databases full of user credentials that bad actors try to steal.
The second problem is that people reuse passwords. Who wants to remember 10 different passwords when you could use some variant of “Password123” for all of them? (If Hugo is still reading this, he just fainted.)
The third problem is a combination of the first two: Once attackers get their hands on a username-password database, they can assume at least some of those people have used the exact same credentials in other places.
“We’re kind of stuck with this legacy way of doing security that isn’t really that secure.”
What follows is called a credential-stuffing attack, in which malicious hackers automate huge numbers of login requests, hoping for a hit. It’s one of the most common ways cybercriminals breach companies — there were 50 billion stuffing attacks last year alone. And overall, more than 80 percent of data breaches are password related.
When Ancient Romans were using one of the first-documented versions of passwords, they didn’t have to worry about that. The password required a second factor: the physical presence of the person who knew it. The same is true for the academics who first used passwords for computers, probably in the 1960s.
“The problem is that when the password was created for use with computers, there was a clear and direct understanding that, in order to get to the point where you type in the password, you first had to get through physical security,” Simic said. “We’re kind of stuck with this legacy way of doing security that isn’t really that secure.”
What you have
Withdrawing from your checking account requires a card with a chip and a PIN — something you have and something you know. The “something you have” component is a main feature of public key cryptography, HYPR’s bread and butter.
The concept of public key cryptography has been around for decades — since 1976, to be exact — and while it’s been used in high-security areas like government and financial services, Simic said, we haven’t seen many scalable uses of it for authenticating users on the internet.
The invention of public key cryptography was a big deal because, until that point, parties wanting to exchange cryptographic messages needed to have access to the same key. Yep: a shared secret.
With public key, there’s little reason to keep ciphers secret. For example, I could share a cipher, or public key, on the internet and ask people to use it to send me encrypted messages. When I receive them, I’d use a private key, known only by me, to decrypt and read the messages. Bad actors could see my public key — and even intercept the encrypted messages on their way to me — but without my private key, those efforts are futile.
“The weakest link in any security model is usually the human.”
Now, consider a web application or device. Its authenticator may contain a public key — think of that as a door with a lock — and each user is associated with a private key. The application isn’t storing the private keys anywhere, so attackers have nothing to target except individual users, one at a time. Furthermore, users can’t reuse the private keys, so credential stuffing is moot.
HYPR’s clients store private keys right on their employees’ cell phones. After all, people are a lot less likely to lose their phones than they are to forget one of many passwords.
“The weakest link in any security model is usually the human,” Simic said. “So if we can take that component away from the individual, we have a safer ecosystem.”
Safer, but not completely safe. Like all security methods, public key cryptography is exploitable if attackers get their hands on both keys or find an algorithm that cracks the creator’s encryption. That’s why HYPR’s approach pairs naturally with another popular password alternative: biometrics.
Who you are
Facial recognition has grabbed headlines in the last year, but the use of biometrics to identify or authenticate people isn’t breaking news. Fingerprints, for instance, have been used programmatically to verify identity since the turn of the 20th century, and you likely used a biometric signature the last time you unlocked your smartphone.
A decade ago, biometric security solutions were largely expensive, hard to implement and exploitable, said ID R&D senior vice president of sales John Amein. Now, advancements in artificial intelligence make them a more viable choice for developers and companies.
ID R&D develops biometric authentication for mobile, web, phone, chatbots and connected devices. For its customers, which are largely high-risk operations like telecommunication companies and banks, biometrics provide an alternative to vulnerable password-username systems and, critically, save time for busy call center workers tasked with recovering lost credentials.
“If someone’s trying to spoof your voice, they’re not going out to the streets to find the one in 100,000 people that might sound like you.”
For example, Safechat, the company’s authentication product for chatbots, runs five layers of authentication at once, including voice, face and behavioral biometrics. The other two layers are anti-spoofing, or a protection against fake faces (like a mask) and fake voices (like a synthetic copycat produced with Lyrebird).
As it happens, fake faces and voices are a big problem in the world of security, as criminals keep pace with breakthroughs in AI. Amein explained: “If someone’s trying to spoof your voice, they’re not going out to the streets to find the one in 100,000 people that might sound like you, or even try to mimic you. That’s way too much effort,” he said. “So, they will try to either get a recording of the target person or get audio from that target person and use some of the latest software to synthesize the voice and make it say what it needs to say for the biometric system to do the right matching.”
ID R&D’s voice anti-spoofing uses deep neural network algorithms to extract 400 different features, such as phase inversion, from the audio and analyze them to determine if the sound was produced by resonant human anatomy or a flat speaker. Its “facial liveness” detection works similarly to detect if fraudsters are using masks or photo likenesses to fool facial recognition systems.
For Safechat, all of those authenticators run in the background, with users’ consent. That means users don’t have to perform any actions to check for facial liveness or speak a passphrase for voice recognition, and their keystrokes are used passively as a behavioral biometric. (Turns out, the way you type is unique to you.)
This is helpful for two reasons, Khitrov said. One is there’s no set authentication test fraudsters could pass with a recorded passphrase or video footage. The second is that users don’t have to worry about it.
“That’s key for us because once friction is introduced into the process, we immediately see people dropping it and not adopting the technology,” he said. “The key to the adoption of biometrics is the simplicity and a natural user experience.”
Going forward, the company will keep trying to make it easier for users and developers to rely on biometric authentication (its products are available as SDKs in developers’ languages of choice). It will also continue its algorithmic research.
“I remember when I first started almost 20 years ago, we were looking into pitch analysis,” Khitrov said. “Then we started looking at more statistical types of analysis. Now, we use more elements from pure AI, like deep learning and neural networks. So a lot of research and a lot of work has been done.”
So, what’s next for authentication?
A recap: Passwords authenticate us based on what we know. That’s unfortunate, because we often don’t know them.
Simic pointed out some potential shortcoming of biometrics — “Most biometric systems are centrally managed, which means that company has your biometrics data stored somewhere, which means it’s still a shared secret,” — while Amein said he sometimes wouldn’t have his phone or laptop handy to use as a private key — “With biometrics, you don’t have to lift a finger.”
However, both parties said a combination of private key cryptography and biometrics addresses most security concerns a company or individual could have. By scanning your thumbprint to unlock your phone, you confirm it’s indeed you in possession of your private key. Then, by using the private key to access accounts and devices, you avoid centrally stored biometric information and shared secrets.
Fast Identity Online (FIDO), an industry association developing open standards for passwordless security, agrees. FIDO, which counts Apple, Google and Microsoft among its members, advocates for public key cryptography combined with biometrics or another second factor, like a PIN number or push notification. (That’s different from SMS-based two-factor authentication, which the National Institute of Standards and Technology no longer supports.)
“People generally are resistant to change, even if it’s positive.”
Someday, cybersecurity may evolve to the point of decentralized identity, which is already in development by organizations including Microsoft. With decentralized identity, people would use a single username across websites, applications and their day-to-day lives. These identities would be blockchain-based, so they couldn’t be stolen or tampered with, and no central authority would store and regulate them. Apps would be server-free, and database breaches no more.
We asked Simic and Khitrov how close we are to true decentralized identity.
“Can the technology support that? Yes,” Khitrov said. “Would people choose to have a system like that? That remains to be seen.”
Simic said he thinks we’re “very far away” from decentralized identity on any meaningful scale, adding we need to do away completely with shared secrets before we can be trusted to build a brand new global security infrastructure.
Shared secrets, however, won’t go away quietly. Companies can only do so many things at once, Simic said, and overhauling security systems is sometimes low on the list. Overall, he added, switching to passwordless security is just as much a psychological challenge as it is a technical one.
“I’ve never gone to any organization and said, ‘Hey, you should get rid of passwords,’ and they’re like, ‘No, that’s a terrible idea,’” he said. “Nobody likes passwords. People have just been using them forever. It’s what’s familiar, and people generally are resistant to change, even if it’s positive.”
For reference, Khitrov noted, Blockbuster decided not to invest in Netflix because its analysts believed people would miss going to the DVD store.